use cmd

Most people use a graphical user interface (or GUI) like Microsoft Windows to find and edit files on their computers. But there is another way: a command line interface (or CLI) lets you type out specific commands so you can manage your computer's files. If you already know exactly what you need to do, using CLI can be faster than clicking through Windows. Lifehacker compares using CLIs to finding a shortcut on the road: it's a little harder to navigate at first, but eventually saves you a lot of time. Using Command Prompt isn't just a hangover from the old days of PC computing in MS-DOS. Mastery of this interface can save you a lot of time on common chores that require a lot of repetitive clicking and window navigation. With a tutorial in its basic commands, as well as tips and tricks to work it like a pro, this guide will show you How to Use Command Prompt on your Windows machine. It will show you how to use Command Prompt, the CLI on all Windows machines. It will instruct you in the command strings and syntax needed to use Command Prompt, as well as offer tips and tricks to make Command Prompt even more useful once you've mastered the basics.

Step 1: Understanding Command Prompt

The Command Prompt environment is very different from Windows Explorer, but remember that it is simply another way to access and move your files. Once you're familiar with the ways in which Command Prompt differs from the more visually familiar Windows Explorer it will be much easier to get started with the basic commands for Command Prompt. The two most important differences to prepare for:

There are no icons, only text!

1. Everything is represented by text. You see where a file is based on its location in a list, which is itself contained in a folder. 2. Think of Command Prompt's display like navigating Windows Explorer under theDetails view. If you're unfamiliar with this view, try it out before you take a crack at Command Prompt. -In Windows Vista, open up any folder and there will be a pull-down menu markedViews. Select Details. -In Windows XP or earlier, open up any folder and there will be a View tab in the toolbar at the top of the window. Click it and select Details. 3. Move around your hard drive in the Details view and get comfortable looking at your folders and files as text-only filenames rather than icons.

There is no clicking, only typing!

1. This isn't 100% true, since some shortcuts will have you clicking a little bit (we'll cover them later with other, more advanced features). But these are merely exceptions to the basic rule that there will be no clicking. 2. Navigating folders and managing your files will be done strictly through text commands once you get into Command Prompt.

3. It might help to go back to the Details view in Windows Explorer and experiment withusing your files with as few mouse clicks as possible. Practice a few mouse-less techniques: a. The box at the top of the window which displays the folder's location on your hard drive is called the Address Bar. -Try moving to different folders by typing their location into the Address Barand hitting Enter. b. Move to parts of the window that you cannot arrow into by using the Tab key. -If you are in the file list and want to get to the Address Bar, pressing Tab to cycle through the different parts of the window until you get to the Address Bar. c. Selecting multiple files that are next each other in the list: -Press and hold Shift, then use the Up and Down arrow keys to highlight more files. -Let go of Shift when you have all the files that you want. d. Selecting multiple files that are scattered throughout the list: -Press and hold Ctrl, then use the Up and Down arrow keys to get to move around the list. -When you get to a file you want to select, press Spacebar to add it to the group. -Let go of Ctrl when you have all the files that you want.

Step 2: Opening Command Prompt

Command Prompt is included in all versions of Windows, but you will open it in different ways depending on which version. This is the only difference though; once Command Prompt is opened, you will be using it the same way no matter what version you're running.

Through the Start Menu: 1. Click on Start. 2. Open the Accessories folder. 3. Select Command Prompt. If for any reason you cannot find the folder, you can also open it manually:

In Windows Vista: 1. Click on Start. 2. In the Start Search box, enter cmd

In Windows XP or earlier: 1. Click on Start. 2. Click on Run and enter cmd. Command Prompt will start you off in your Windows Profile's default folder (C:\Documents and Settings\USERNAME\ in both Vista and XP). But if you already have a specific folder in mind that you need to get to, you can save a little navigation time with a Windows Vista trick uncovered by a developer: 1. While holding the Shift key, right click on any folder. 2. The menu that opens up will have an extra option marked Open Command Prompt Here. 3. Command Prompt will open, pre-navigated to the folder which you right-clicked.

Step 3: Using Basic Commands

Before you start tooling around, Command Prompt includes a help command that you should consult. Typing help will bring up a list of all its valid commands. And from here, typing help COMMAND

NAME will give you more information about the specified command. But since the help function seems intended as a brief refresher, here is a proper introduction to the important basic commands.

Navigation
1. dir will display the contents of your current folder. If there is too much to fit on the screen at once, use dir /p to go through the contents one page at a time. 2. cd FOLDERNAME (or chdir FOLDERNAME) will access the specified folder. Note that you can only access files or other folders that are within your current folder. Example: If you are at C:\ and you want to access C:\BIGFOLDER\TARGETFOLDER\ -Enter cd BIGFOLDER to get to C:\BIGFOLDER\ -Now enter cd TARGETFOLDER to get to C:\BIGFOLDER\TARGETFOLDER\ 3. cd.. will move you up one folder. Example: If you are at C:\BIGFOLDER\TARGETFOLDER\ -Enter cd.. to bring you up to C:\BIGFOLDER\ 4. cd\ will bring you back to the root directory regardless of what folder you are currently in. Example: If you are at C:\BIGFOLDER\TARGETFOLDER\ -Enter cd\ to bring you back to C:\ 5. X: will change to another attached hard-drive or partition (where X is the letter name). Example: If you are at any folder in C:\ -Enter D: to get to D:\ 6. exit will close the Command Prompt window regardless of what folder you are in.

File Operations
1. del (or delete) will delete a specified file. Note that it deletes your file immediately and does not send it to the Recycle Bin first. So be sure of what you want to delete. 2. copy will put a copy of the input file to the specified output folder. Example: If you want to copy a file named test.txt -Enter copy c:\LOCATION\test.txt c:\LOCATION2\ -Note that this will keep a copy in C:\LOCATION\ as well as place another copy of it in C:\LOCATION2\ 3. move will move an input file to the specified output folder. Example: If you want to move a file named test.txt -Enter move c:\LOCATION\test.txt c:\LOCATION2\ -Note that unlike the copy command, move will not keep a copy in the original location. Now test.txt will only exist in C:\LOCATION2\ 4. ren (or rename) will rename a file to a specified new filename. Example: If you have a file named test.txt -Enter ren C:\LOCATION\test.txt testing.txt -Now, test.txt has become testing.txt

Folder Operations

1. The copy, move, and rename commands all work the same way with folders as they do with files. 2. del will delete all the files contained within a folder. Note that it does not delete the folder itself, nor any folders within it, only files. Example: You have a folder C:\LOCATION\ that contains a text file test.txt and a subfolder \SUBLOCATION\ -Enter del C:\LOCATION, and test.txt will be gone, while \SUBLOCATION\ is still there, and completely unaltered 3. rd (or rmdir) is how you delete a specified folder. Note that it must be empty, or else the command will not work. 4. md (or mkdir) will create a folder at a specified location. Example: You have a folder C:\LOCATION\ with nothing in it -Enter md C:\LOCATION\Folder to create \Folder\ within C:\LOCATION\ There are a few more advanced commands that Command Prompt accepts but, depending on your needs, you may or may not want to delve quite that deeply.

Step 4: Using Keyboard Shortcuts

Despite the bare-bones nature of Command Prompt, there are still plenty of helpful hotkeys and built-in tools designed to minimize the otherwise silly amounts of typing you'll need to do in order to perform many tasks.

Arrow Keys
1. Left arrow will move the cursor, like in a word processor. This way you can edit your command without having to delete what you've already typed. 2. Right arrow will rebuild the last command you entered, character by character. 3. The Up and Down arrows will cycle through previously entered commands.

Function Keys

Each of the Function Keys (F1-F9) recall your previously entered commands in different ways. While a couple of them are very similar to the arrow keys, many of them are notably more advanced: 1. F3 will immediately display your last entered command so you don't have to rebuild it one character at a time. 2. F7 will list your command history in a menu so you can select a particular entry. -Alt-F7 will clear your command history which is useful if you only want to track a certain series of entries 3. F8 will cycle through your previously entered commands. But unlike the Up and Downshorctuts, if you specify a few characters F8 will only cycle through commands that begin with that string. -Example: If you type cd, F8 will cycle through all your Change Directory commands.

The Tab Key

Tab will cycle through the items in your current directory. -Similar to F8, you can specify a few characters to cycle only through the items that start with a specific name.

Tips For Using Command Prompt

Here are a few tips to unlock some of the more esoteric, but definitely useful, applications of Command Prompt.

Give Command Prompt a Makeover

1. 2. 3. 4.

5.

If you're planning on using it more often, it will soon be obvious that Command Prompt isn't going to win any beauty pageants. At least not in its default state. Thankfully, it is flexibly designed so you can customize the display settings to make the program both easier on the eyes and more efficient, too. Open a Command Prompt window and click on the icon in the top left corner. Click on Properties to bring up a customization menu In this menu, you can change things like font size and background color to suit your taste. It also contains a few handy technical options. Of particular importance: a. Editing the Command History Buffer Size will increase the number of commands you can recall with the arrow keys. b. Editing the Screen Buffer Size will allow you to scroll back further in the Command Prompt window so you can keep track of what you've been doing. When you've dolled up your Command Prompt window to your liking, make sure to save the changes! a. Close the Properties menu. b. A dialog box titled Apply Properties will pop up. c. Select Save properties for futures windows with same title.

The Wildcard Operator

* (the asterisk symbol) is called the wildcard operator, an evocative name for a powerful tool. Proper use of the wildcard will allow you to apply a file or folder command over multiple targets at once. For example, if you wanted to delete all the files in a folder that contain the string "photo" in the filename, you would have to do a lot of squinting and clicking in Windows Explorer. With the wildcard operator in Command Prompt, you can use a single command to do the same thing. Placing the wildcard in different places in text will target specific portions of text: 1. Wildcarding all targets ending with certain letters: Example: You have a folder of music in both .mp3 and .wma format, and need to delete all the .wma files -Navigate to the specific folder with your MP3s and WMAs. -Enter DEL *.wma and only mp3 files will remain in the directory. 2. Wildcarding all targets starting with certain letters: Example: You want to move to your Documents and Settings from C:\ -Enter CD Doc* and you will be directed to C:\Documents and Settings o Note that you have to provide enough letters to specify a unique target name. If you had another folder in C: called Doctors, you would have to enter at least CD Docu* to specify a unique folder 3. Wildcarding all targets containing certain letters: Example: You want to list all the files in a folder that have the word "photo" in the filename -Enter DIR *photo* and you will see a list of all the files, regardless of format, that have "photo" in the name

Troubleshoot Your Wireless Network

Networking on your computer already seems like weird, alien magic, so it should be no big surprise that Command Prompt, itself rather unfamiliar to most users, is a common tool in troubleshooting your network settings. The command ipconfig has a number of different uses in managing your network settings in Windows. Regardless of your current folder in Command Prompt, typing ipconfig will display your network information, including your local and network IP Address. There are also a few additional features built into the command that are commonly used in troubleshooting networks: ipconfig /all will display more information about both the network and your computer's specific network settings. ipconfig /release will clears out any network IP addresses associated with your computer. ipconfig /renew will reinitialize your IP address on your network. o -Running ipconfig /release and then ipconfig /renew is a basic step that iscommonly recommended to fix an unresponsive network connection.

Run Command Line Software

Lots of specialized software, especially among the open-source, home-brewed software crowd, does not include a GUI that you can access from your Windows Desktop. There's an abundance of software that needs to be run through command line. Some open source software in this category can be found on [1].

Forcibly Delete Files

Another neat trick that Command Prompt has come to be known for is the ability to help you delete difficult files. If you have a file that Windows insists is in use by another program when you know that it isn't, or cannot be accessed when you know it can, the DEL command can help you get around this common problem in Windows.

CMD.exe
Start a new CMD shell.
Syntax CMD [charset] [options] [My_Command] Options /C /K Carries out My_Command and then terminates Carries out My_Command but remains

My_Command : The command, program or batch script to be run. This can even be several commands separated with '&' (the whole should also be surrounded by "quotes") /T:fg Sets the foreground/background colours

/X /Y /A /U

Enable extensions to CMD.EXE under Windows 2000 you can also use /E:ON Disable extensions to CMD.EXE under Windows 2000 you can also use /E:OFF Output ANSI Characters Output UNICODE Characters These 2 swiches are useful when piping or redirecting to a file Most common text files under WinNT are ANSI, use these switches when you need to convert the character set.

/D Ignore registry AutoRun commands HKLM | HKCU \Software\Microsoft\Command Processor\AutoRun /F:ON Enable auto-completion of pathnames entered at the CMD prompt /F:OFF Disable auto-completion of pathnames entered at the CMD prompt (default)

At the command prompt Ctrl-D gives folder name completion and Ctrl-F gives File and folder name completion. These key-strokes will display the first matching path. Thereafter, repeated pressing of the same control key will cycle through the list of matching paths. Pressing SHIFT with the control key will move through the list backwards.
/Q /S Turn echo off Strip quote characters from the command_line

/V:ON Enable delayed environment variable expansion this allows a FOR loop to specify !variable! instead of %variable% expanding the variable at execution time instead of at input time. /V:OFF Disable delayed environment expansion. Environment expansion preference can be set permanently in the registry HKLM | HKCU \Software\Microsoft\Command Processor\DelayedExpansion Set to either 0x1 or 0x0 /knetdiag /debug /knetdiag /fix The knetdiag switches are undocumented and work in XP only they list and (may) fix these networking issues. If /C or /K is specified, then the remainder of the command line is processed as an immediate command in the new shell. Multiple commands separated by the command separator '&&' are accepted if surrounded by quotes. The following logic is used to process quote (") characters: 1. If all of the following conditions are met, then quote characters on the command line are preserved:

- no /S switch - exactly two quote characters - no special characters between the two quote characters, where special is one of: &<>()@^| - there are one or more whitespace characters between the the two quote characters - the string between the two quote characters is the name of an executable file. 2. Otherwise, old behavior is to see if the first character is a quote character and if so, strip the leading character and remove the last quote character on the command line, preserving any text after the last quote character.

Command.com vs cmd.exe All the commands on these pages assume you are running the 32 bit or 64 bit command line (cmd.exe) The old 16 bit command processor command.com is supplied to provide backward compatibility for 16 bit DOS applications. Command.com has very limited functionality compared to cmd.exe e.g. it will fail to set an %errorlevel% after many commands. If you name your batch scripts with the extension .CMD rather than .BAT then they will not run under command.com even if copied to a Windows 95 machine. The %COMSPEC% environment variable will show if you are running CMD.EXE or command.com On 64 bit versions of windows the 32 bit CMD.exe can be found at %windir%\SysWoW64\cmd.exe To reduce compatibility issues, the WOW64 subsystem isolates 32-bit binaries from 64-bit binaries by redirecting registry calls and some file system calls. Opening CMD from Windows Explorer You can open a new CMD prompt by choosing START, RUN, cmd, OK Registry Keys for CMD: ;Allow UNC paths at command prompt
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor] "DisableUNCCheck"=dword:00000001

; Run a command when CMD.exe starts

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] "AutoRun"=-

; Activate Automatic Completion

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]

"CompletionChar"=0x9

; For Windows 7: Add an elevated 'Open CMD prompt here (Admin)' option to the ; context menu for file system folders:
[HKEY_CLASSES_ROOT\Directory\shell\runas] @="Open CMD prompt here (Admin)" [HKEY_CLASSES_ROOT\Directory\shell\runas\command] @="cmd.exe /k pushd %L"

; For Windows 7: Add an elevated 'Open CMD prompt here (Admin)' option to the ; My Computer context menu:
[HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\runas] @="Open CMD prompt here (Admin)" [HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D808002B30309D}\shell\runas\command] @="cmd.exe"

Previous Commands Pressing the UP arrow will list previous commands entered at the command prompt. Other DOSKEY function keys are loaded by default (F7, F8, F9) Copy and Paste / QuickEdit To simplify the use of cut and paste at the Command Prompt, enable QuickEdit mode as follows: Activate the control menu at the top left of the current cmd window, go to Properties, Options tab and then tick against QuickEdit Mode. Now you can select text with the mouse and hit Enter (or right click) to copy it to the clipboard. Paste anywhere using Control+V (or Right Click) or via the menu. ESC will cancel any selection and return to editing mode. When copying between windows, you may need one click to select the window and a second click to paste. Run multiple instances of CMD.exe At the command line or in a batch script CMD will start a new instance of CMD.exe which will appear in the same window. The EXIT command will close the second CMD instance and return to the previous shell. A method of calling one Batch script from another is to run a command like CMD /c
C:\docs\myscript.cmd

The output of CMD can be redirected into a text file. Notice that where CMD /c is used, the EXIT command is not required.

The environment Variable %CMDCMDLINE% will expand into the original command line passed to CMD.EXE The native version of CMD.exe is always in %windir%\system32, on 64 bit operating systems there is also a 32 bit CMD.exe in %windir%\SysWOW64 Pausing or stopping a batch script Execution of any batch script can be paused by pressing CTRL-S This also works for pausing a single command such as a DIR listing Pressing any key will resume the operation. Execution of any batch script can be stopped by pressing CTRL-C If one batch file CALLs another batch file CTRL-C will exit both batch scripts. If CMD /c is used to call one batch file from another then CTRL-C will cause only one of the batch scripts to terminate. (see also EXIT) Long Commands and long filenames Under Windows XP, the CMD command line is limited to 8,191 characters. For all versions of Windows, NTFS and FAT allows pathnames of up to 260 characters. A workaround for the limited pathname length is to prefix \\?\ for example:
\\?\C:\TEMP\Long_Directory\Long_Filename.txt

ErrorLevel CMD /C will return an errorlevel, for example CMD /c dir Z: where the drive Z: does not exist, will return %errorlevel% = 1 to the calling CMD shell. Full Screen The key combination ALT + ENTER will switch a CMD window to full screen mode. press ALT and ENTER again to return to a normal Window. Command Extensions Much of the functionality of CMD.exe can be disabled - this will affect all the internal commands, Command Extensions are enabled by default. This is controlled by setting a value in the registry: HKCU\Software\Microsoft\Command Processor\EnableExtensions Alternatively under Win XP you can run CMD /e:on or CMD /e:off "Those who can command themselves, command others" - Hazlitt
Introduction

Before Windows was created, the most common operating system that ran on IBM PC compatibles was DOS. DOS stands for Disk Operating System and was what you would use if you had started your computer much like you do today with Windows. The difference was that DOS was not a graphical operating system but rather purely textual. That meant in order to run programs or manipulate the operating system you had to manually type in commands. When Windows was first created it was actually a graphical user interface that was created in order to make using the DOS operating system easier for a novice user. As time went on and newer versions of Windows were developed DOS was finally phased out with Windows ME. Though the newer operating systems do not run on DOS, they do have a something called the command prompt, which has a similar appearance to DOS. In this tutorial we will cover the basic commands and usage of the command prompt so that you feel comfortable in using this resource. Using the Command Prompt or Dos Window When people refer to the command prompt they may we refer to it in different ways. They may refer to it as a shell, console window, a command prompt, a cmd prompt, or even dos. In order to enter the command prompt you need to run a program that is dependent on your operating system. Below we list the programs that you need to run to enter a command prompt based on the version of Windows you are running. Operating System Command Notes Windows 3.1,.3.11, 95, This program when run will open up a command prompt window command.com 98, ME providing a DOS shell. Windows NT, 2000, XP, This program will provide the native command prompt. What we call cmd.exe 2003 the command prompt. Windows NT, 2000, XP, This program will open up a emulated DOS shell for backwards command.com 2003 compatibility. Only use if you must. To run these programs and start a command prompt you would do the following steps: Step 1: Click on the Start Menu Step 2: Click on the Run option Step 3: Type the appropriate command in the Open: field. For example if we are using Windows XP we would type cmd.exe. Step 4: Click on the OK button After following these steps you will be presented with a window that look similar to Figure 1 below.

Figure 1. Windows Command Prompt The command prompt is simply a window that by default displays the current directory, or in windows term a folder, that you are in and has a blinking cursor ready for you to type your commands. For example in Figure 1 above you can see that it says C:\WINDOWS>. The C:\WINDOWS> is the prompt and it tells me that I am currently in the c:\windows directory. If I was in the directory c:\program files\directory the prompt would instead look like this: C:\PROGRAM FILES\DIRECTORY>. To use the command prompt you would type in the commands and instructions you want and then press enter. In the next section we will discuss some useful commands and how to see all available built in commands for the command prompt. Useful commands The command.com or cmd.exe programs have built in commands that are very useful. Below I have outlined some of the more important commands and further instruction on how to find information on all the available commands. The Help command - This command will list all the commands built into the command prompt. If you would like further information about a particular command you can type help commandname. For example help cd will give you more detailed information on a command. For all commands you can also type the command name followed by a /? to see help on the command. For example, cd /? The Exit command - This command will close the command prompt. Simply type exit and press enter and the command prompt will close. The CD command - This command allows you to change your current directory or see what directory you are currently in. To use the CD command you would type cd directoryname and press enter. This would then change the directory you are currently in to the one specified. When using the cd command you must remember how paths work in Windows. A path to a file is always the root directory, which is symbolized by the \ symbol, followed by the directories underneath it. For example the file notepad.exe which is located in c:\windows\system32 would have a path as follows \windows\system32\notepad.exe. If you want to change to a directory that is currently in your current directory you do not need the full path, but can just type cd directoryname and press enter. For example if you are in a directory called c:\test, and there were three

directories in that the test directory called A, B, and C, you could just type cd a and press enter. You would then be in the c:\test\a. If on the other hand you wanted to change your directory to the c:\windows\system32 directory, you would have to type cd \windows\system and press enter. The DIR command - This command will list the files and directories contained in your current directory, if used without an argument, or the directory you specify as an argument. To use the command you would just type dir and press enter and you will see a listing of the current files in the directory you are in, including information about their file sizes, date and time they were last written to. The command will also show how much space the files in the directory are using and the total amount of free disk space available on the current hard drive. If I typed dir \testI would see the contents of the c:\test directory as shown in Figure 2 below.

Figure 2. DIR of c:\test If you examine the screen above you will see a listing of the directory. The first 2 columns are the date and time of the last write to that file. Followed by whether or not the particular entry is a directory or a file, then the size of the file, and finally the name of the file. You may have noticed that there are two directories named . and .., which have special meaning in operating systems. The . stands for the current directory and the .. stands for the previous directory in the path. In the example above, .. stands for c:\windows. Also note for many commands you can use the * symbol which stands for wildcard. With this in mind, typing dir *.txt will only list those files that end with .txt. The Copy command - This command allows you to copy files from one location to another. To use this command you would type copy filetocopy copiedfile. For example if you have the file c:\test\test.txt and would like to copy it to c:\windows\test.txt you would type copy c:\test\test.txt c:\windows\test.txt and press enter. If the copy is successful it will tell you so and give you back the prompt. If you are copying within the same directory you do not have to use the path. Here are some examples and what they would do: copy test.txt test.bak copy test.txt Copies the test.txt file to a new file called test.bak in the same directory Copies the test.txt file to the \windows directory.

\windows copy * \windows

Copies all the files in the current directory to the \windows directory.

The Move command - This command allows you to move a file from one location to another. Examples are below: move test.txt test.bak move test.txt \windows move * \windows Moves the test.txt file to a new file renaming it to test.bak in the same directory. Moves the test.txt file to the \windows directory. Moves all the files in the current directory to the \windows directory.

At this point you should use the help command to learn about the other available commands. Redirectors Redirectors are an important part to using the command prompt as they allow you to manipulate how the output or input of a program is displayed or used. Redirectors are used by appending them to the end of a command followed by what you are redirecting to. For example: dir > dir.txt. There are four redirectors that are used in a command prompt and they are discussed below:

>

This redirector will take the output of a program and store it in a file. If the file exists, it will be overwritten. If it does not exist it will create a new file. For example the command dir > dir.txt will take the output of the dir command and place it in the dir.txt file. If dir.txt exists, it will overwrite it, otherwise it will create it. This redirector will take the output of a program and store it in a file. If the file exists, the data will be appended to the current data in the file rather than overwriting it. If it does not exist it will create a new file. For example the command dir >> dir.txt will take the output of the dir command and appends it to the existing data in the dir.txt file if the file exists. If dir.txt does not exist, it will create the file first. This redirector will take the input for a program from a specified file. For example the date command expects input from a user. So if we had the command date < date.txt, it would take the input for the date program from the information contained in the date.txt file. This redirector is called a pipe. It will take the output of a program and pipe it into another program. For example dir | sort would take the output of the dir command and use it as input to the sort command.

>>

<

Batch Files Batch files are files that have an extension ending in .bat. They are simply scripts that contain command prompt commands that will be executed in the order they are listed. To create a batch file, just make a file that ends in .bat, such as test.bat, and inside the file have the commands you would like. Each command should be on its own line and in the order you would like them to execute. Below is example batch file. It has no real use but will give you an example of how a batch files works. This test batch file contains the following lines of text: cd cd \test

dir cd \ If I was to run the test.bat file I created I would have output that looks like the following:

Figure 3: Example of a batch file running. As you can see from the figure above, my batch file executed each command in my batch file in the sequence they were written in the batch file. Console Programs If a program is created for express purpose of running within a command prompt, or console window, that program is called a console program. These are programs that are not graphical and can only be run properly from within a command prompt window. Below is a list of sites that contain console programs that may be useful to you: http://www.csc.calpoly.edu/~bfriesen/software/console.shtml/software.shtml http://unxutils.sourceforge.net/ There are many more sites that have tools available. Just do a Google search on windows console programs. Conclusion The command prompt can be a very powerful and versatile tool for a computer user. Hopefully this brief introduction into the command prompt will enable you to use your computer more efficiently. If you have any questions on how to use the command prompt, please do not hesitate to ask us in the computer help forums. --

Windows Command Prompt in 15 Minutes

There are only a few Command Prompt commands that you will need to master to make it through COS 126. The following is a brief tutorial covering the most important ones.

What is Command Prompt? The Command Prompt program allows you to work in an environment that looks more like a traditional operating system as opposed to the icon based Windows environment. In Command Prompt, you will use your keyboard. You won't use your mouse at all. Command Prompt works at a lower level than Windows. This means that you will have more control over the machine. The disadvantage is that it is less user-friendly. You will need the command prompt in COS 126 to compile and execute your Java programs. Learning the Command Prompt also provides a gradual transition to Unix and Linux systems, which are prevalent in science, engineering, and industry. To launch Command Prompt select Start -> Run and type cmd in the box. The Command Prompt shows up as a black terminal window. The command prompt should look something like:
C:\>

This is where you type commands. The boldface type below (that follows the command prompt) is what you should type as you work through this tutorial. Windows does not care if you use upper or lower case. That means that command cd is the same as CD. It also means that, in Windows, file HelloWorld.java is the same as helloworld.java. This is NOT true in the system to which you will be submitting your files. Be very careful!!! Some Useful Commands

javac: To compile a Java program, use the javac command. Your program should compile without any errors or warnings (or if there are warnings be absolutely sure that they do not indicate a flaw in your program).
C:\>javac HelloWorld.java

java: To run a successfully compiled Java program, use the java command.
C:\>java HelloWorld

more: Display the contents of a file one screenful at a time.

C:\>more HelloWorld.java

exit: Exit the Command Prompt program and close the terminal window.
C:\>exit

Working with Files and Directories You can also use Command Prompt commands to organize files into a directory hierarchy. These commands are equivalent to corresponding commands that you access via the Windows pointand-click interface. It is useful to be familiar with both interfaces for managing files.

dir: To view the contents of a directory, type dir. This command will list all the files and directories within the current directory. It is analogous to clicking on a Windows folder to see what's inside.
C:\> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\ 10/26/2004 10/26/2004 02/10/2005 12/09/2004 02/10/2005 11/02/2004 12/29/2004 01/13/2005 01:36 PM 0 AUTOEXEC.BAT 01:36 PM 0 CONFIG.SYS 01:36 PM 126 HelloWorld.java 12:11 AM DIR Documents and Settings 08:59 PM DIR introcs 08:31 PM DIR j2sdk1.4.2_06 07:15 PM DIR Program Files 07:33 AM DIR WINDOWS 3 File(s) 126 bytes 5 Dir(s) 32,551,940,096 bytes free

There are 7 items in this directory. Some of them are files, like HelloWorld.java. Others are directories, like introcs.

cd: It is frequently useful to know in which directory you are currently working. In order to find out, type cd at the command prompt.
C:\> cd C:\

To change directories, use the cd command with the name of a directory.

C:\> cd introcs

Now, the command prompt will be:

C:\introcs>

To see what is in this directory type:

C:\introcs> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 11:53 PM 01:16 AM 2 File(s) 2 Dir(s) . .. 126 HelloWorld.java 256 readme.txt 382 bytes

To return to the previous directory, use the cd command, but this time followed by a space and two periods.
C:\introcs> cd .. C:\>

mkdir: To create a new directory, use the command mkdir. The following command creates a directory named hello, which you can use to to store all of your files associated with the Hello World assignment.
C:\introcs> mkdir hello

To see that it actually worked, use the dir command.

C:\introcs> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs 02/10/2005 02/10/2005 02/11/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 02:53 PM DIR 11:53 PM 01:16 AM 2 File(s) 3 Dir(s) . .. hello 126 HelloWorld.java 256 readme.txt 382 bytes

move: Now, move the two files HelloWorld.java and readme.txt into the hello directory using the move command.
C:\introcs> move HelloWorld.java hello C:\introcs> move readme.txt hello C:\introcs> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs 02/10/2005 08:59 PM DIR .

02/10/2005 02/11/2005

08:59 PM DIR 02:53 PM DIR 0 File(s) 3 Dir(s)

.. hello 0 bytes

The two files are no longer visible from the current directory. To access the two files, change directories with the cd command. Then use the dir command to see what is in this new directory.
C:\introcs> cd hello C:\introcs\hello> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs\hello 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 11:53 PM 01:16 AM 2 File(s) 2 Dir(s) . .. 126 HelloWorld.java 256 readme.txt 382 bytes

You can also use move to rename a file. Simply specify a new filename instead of a directory name. Suppose you accidentally messed up the upper and lower case and had saved HelloWorld.java as helloworld.java. Use two move commands to fix it.
C:\introcs\hello> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs\hello 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 11:53 PM 01:16 AM 2 File(s) 2 Dir(s) . .. 126 helloworld.java 256 readme.txt 382 bytes

C:\introcs\hello> move helloworld.java temp.java C:\introcs\hello> move temp.java HelloWorld.java C:\introcs\hello> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs\hello 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 08:59 11:53 01:16 PM PM PM AM DIR DIR . .. 126 HelloWorld.java 256 readme.txt

2 File(s) 2 Dir(s)

382 bytes

It takes two moves because Windows won't let you move to an already existing filename and, to Windows, helloworld.java is the same as HelloWorld.java.

copy: To make a copy of a file, use the copy command. The following command creates a backup copy of our HelloWorld.java program. This is especially useful when you modify a working program, but might want to revert back to the original version if your modifications don't succeed.
C:\introcs\hello> copy HelloWorld.java HelloWorld.bak C:\introcs\hello> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs\hello 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 11:53 PM 01:16 AM 2 File(s) 3 Dir(s) . .. 126 HelloWorld.java 256 readme.txt 382 bytes

del: Subsequently, you might want to clean up useless files. The del command deletes a file.
C:\introcs\hello> del HelloWorld.bak C:\introcs\hello> dir Volume in drive C has no label. Volume Serial Number is C8C7-BDCD Directory of C:\introcs 02/10/2005 02/10/2005 02/03/2005 01/17/2005 08:59 PM DIR 08:59 PM DIR 11:53 PM 01:16 AM 2 File(s) 3 Dir(s) . .. 126 HelloWorld.java 256 readme.txt 382 bytes

WARNING: When you revise a file in jEdit, the jEdit program will automatically save a backup copy of your original file in the same directory. The name of the backup file will be the name of the original file with a ~at the end. When you submit your program be careful to submit HelloWorld.java and not HelloWorld.java~ which is an old version of the file and has the wrong name.

wildcards: You can also apply the copy, del, and move commands to several files (or directories) at once. To create a new directory called loops, and copy all of the files in the hello directoryC:\introcs\hello\ into this newly created directory type:
C:\introcs> mkdir loops C:\introcs> copy c:\introcs\hello\* loops

Here the * matches all files in the C:\introcs\hello directory. It copies them to your newly created loops directory. Redirection Two important abstractions in Command Prompt are standard input and standard output. By default standard input is your keyboard, and standard output is your computer screen. For example, in Assignment 1, we write a program CenterofMass.java that reads input using StdIn.java and writes output using System.out.println(). To run our program, the user types the command "java CenterofMass" and enters double type values in triplets: xposition yposition mass from the keyboard. The results appear in the terminal window.
C:\introcs\loops> java CenterofMass 0 0 10 1 1 10 0.5 0.5 20

Redirecting standard input. As an alternative, we can create a file that consists of the same six input numbers. Using a text editor (like jEdit), create a file named input.txt, and type in the six numbers. After saving the file in the loops directory, type the following command to verify that you entered the integers correctly:
C:\introcs\loops> more input.txt 0 0 10 1 1 10

Then to read the integers from the file instead of the keyboard, we use the redirection symbol "<".
C:\introcs\loops> java CenterofMass < input.txt 0.5 0.5 20

This produces exactly the same result as if the user had typed the numbers, except that the user has no opportunity to enter numbers from the keyboard. This is especially useful for two reasons. First, if there are lots of input values (there are over 700 inputs for Assignment 2) it would be tedious to retype them in each time we run our program. Second, it allows programs to be automated, without waiting for user interaction. This means that your grader can process your homework programs without typing in the input values by hand each time.

Redirecting standard output. Similarly it is possible to redirect the output to a file instead of to the screen. Continuing with the same example, if we want to save the output permanently, we can use the output redirection symbol '>'.
C:\introcs\loops> java CenterofMass > output.txt 0 0 10 1 1 10

The user still types in the input values from the keyboard, but instead of sending the output to the screen, it is sent to the file named output.txt. Note that all printf output is sent to the file, even the statement that tells the user what to do. Be careful, if the file output.txt already exists, it will be overwritten. (To append use '>>' instead.)
phoenix.Princeton.EDU% more output.txt

Redirecting standard input and standard output. It is often useful to use both redirection operations simultaneously.
C:\introcs\loops> java CenterofMass < input.txt > output2.txt

After executing this command, no output appears on the screen, but the file output2.txt now contains exactly the same data as output.txt above.

Piping Another useful abstraction is piping. Piping is when the output of one program is used as the input of another program. For example, suppose we want to view the output of a program, but there is so much that it whizzes by on the screen too fast to read. (The program RandInts.java prints out a bunch of random integers.) One possible way to accomplish this is to type the following two commands.
C:\introcs> java RandInts > temp.txt C:\introcs> more < temp.txt

Note that more will work by redirecting the file temp.txt to standard input (as is done here) or by simply using the filename (as is done at the beginning of the document). Instead, we could do this in one line using the pipe symbol '|'
C:\introcs> java RandInts | more

This is often useful when debugging a program, especially if your program goes into an infinite loop and you want to see the first few values that it prints.

Tracing a hacker

By Paperghost on March 1, 2005 @ 05:40 PM

Add to Favorites!

(Views: 178,257)

Print Tutorial!

Share 24

inShare

Ads by Google 6-Core 4-Way SuperServers Supermicro.com/ComputerSystem Energy-efficient Supermicro Server! Featuring Intel Xeon Processors

Sometimes, it's just not enough to simply know that there's a Trojan or Virus onboard. Sometimes you need to know exactly why that file is onboard, how it got there - but most importantly,who put it there. By enumerating the attacker in the same way that they have enumerated the victim, you will be able to see the bigger picture and establish what you're up against. But how can you do this? Read on... ## Connections make the world go round ## The computer world, at any rate. Every single time you open up a website, send an email or upload your webpages into cyberspace, you are connecting to another machine in order to get the job done. This, of course, presents a major problem, because this simple act is what allows malicious users to target a machine in the first place. # How do these people find their victim? Well, first of all, they need to get hold of the victim's IP Address. Your IP (Internet Protocol) address reveals your point of entry to the Internet and can be used in many ways to cause your online activities many, many problems. It may not reveal you by name, but it may be uniquely identifiable and it represents your digital ID while you are online (especially so if you're on a fixed IP / DSL etc). With an IP address, a Hacker can find out all sorts of weird and wonderful things about their victim (as well as causing all kinds of other trouble, the biggest two being Portnukes/Trojans and the dreaded DoS ((Denial of Service)) attack). Some Hackers like to collect IP Addresses like badges, and like to go back to old targets, messing them around every so often. An IP address is incredibly easy to obtain - until recently, many realtime chat applications (such as MSN) were goldmines of information. Your IP Address is contained as part of the Header Code on all emails that you send and webpages that you visit can store all kinds of information about you. A common trick is for the Hacker to go into a Chatroom, paste his supposed website address all over the place, and when the unsuspecting victim visits, everything about your computer from the operating system to the screen resolution can be logged...and, of course, the all important IP address. In addition, a simple network-wide port scan will reveal vulnerable target machines, and a war-dialler will scan thousands of lines for exposed modems that the hacker can exploit.

So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine? ## Virtual and Physical Ports ## Everything that you recieve over the Internet comes as a result of other machines connecting to your computer's ports. You have two types; Physical are the holes in the back of your machine, but the important ones are Virtual. These allow transfer of data between your computer and the outside world, some with allocated functions, some without, but knowing how these work is the first step to discovering who is attacking you; you simply MUST have a basic knowledge of this, or you won't get much further. # What the phrases TCP/UDP actually mean TCP/IP stands for Transmission Control Protocol and Internet Protocol, a TCP/IP packet is a block of data which is compressed, then a header is put on it and it is sent to another computer (UDP stands for User Datagram Protocol). This is how ALL internet transfers occur, by sending packets. The header in a packet contains the IP address of the one who originally sent you it. Now, your computer comes with an excellent (and free) tool that allows you to see anything that is connected (or is attempting to connect) to you, although bear in mind that it offers no blocking protection; it simply tells you what is going on, and that tool is NETSTAT. ## Netstat: Your first line of defence ## Netstat is a very fast and reliable method of seeing exactly who or what is connected (or connecting) to your computer. Open up DOS (Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS Prompt, type: netstat -a (make sure you include the space inbetween the "t" and the "a"). If you're connected to the Internet when you do this, you should see something like: QUOTE Active Connections Proto Local Address Foreign Address State TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING

Now, "Proto(col)" simply means what kind of data transmission is taking place (TCP or UDP), "Local address" is your computer (and the number next to it tells you what port you're connected on), "Foreign Address" is the machine that is connected to you (and what port they're using), and finally "State" is simply whether or not a connection is actually established, or whether the machine in

question is waiting for a transmission, or timing out etc. Now, you need to know all of Netstat's various commands, so type: netstat ? You will get something like this:
QUOTE Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval] -a Displays all connections and listening ports. -e Displays Ethernet statistics. This may be combined with the -s option. -n Displays addresses and port numbers in numerical form. -p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default.

Have a play around with the various options, but the most important use of these methods is when you combine them. The best command to use is netstat -an because this will list all connections in Numerical Form, which makes it a lot easier to trace malicious users....Hostnames can be a little confusing if you don't know what you're doing (although they're easily understandable, as we shall see later). Also, by doing this, you can also find out what your own IP address is, which is always useful. Also, netstat -b will tell you what ports are open and what programs are connecting to the internet. ## Types of Port ## It would be impossible to find out who was attacking you if computers could just access any old port to perform an important function; how could you tell a mail transfer from a Trojan Attack? Well, good news, because your regular, normal connections are assigned to low, commonly used ports, and in general, the higher the number used, the more you should be suspicious. Here are the three main

types of port: # Well Known Ports These run from 0 to 1023, and are bound to the common services that run on them (for example, mail runs on channel 25 tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find one of these ports open (and you usually will), it's usually because of an essential function. # Registered Ports These run on 1024 to 49151. Although not bound to a particular service, these are normally used by networking utilities like FTP software, Email client and so on, and they do this by opening on a random port within this range before communicating with the remote server, so don't panic (just be wary, perhaps) if you see any of these open, because they usually close automatically when the system that's running on them terminates (for example, type in a common website name in your browser with netstat open, and watch as it opens up a port at random to act as a buffer for the remote servers). Services like MSN Messenger and ICQ usually run on these Ports. # Dynamic/Private Ports Ranging from 49152 to 65535, these things are rarely used except with certain programs, and even then not very often. This is indeed the usual range of the Trojan, so if you find any of these open, be very suspicious. So, just to recap:
QUOTE Well Known Ports 0 to 1023 Commonly used, little danger. Registered Ports 1024 to 49151 Not as common, just be careful. Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

## The hunt is on ## Now, it is essential that you know what you're looking for, and the most common way someone will attack your machine is with a Trojan. This is a program that is sent to you in an email, or attempts to bind itself to one of your ports, and when activated, it can give the user your passwords, access to your hard drive...they can even make your CD Tray pop open and shut. At the end of this Document, you will find a list of the most commonly used Trojans and the ports they operate on. For now, let's take another look at that first example of Netstat....
QUOTE Active Connections Proto Local Address Foreign Address State TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING TCP macintosh MACINTOSH: 0 LISTENING

Now, straight away, this should make more sense to you. Your computer is connected on two ports, 80 and 27374. Port 80 is used for http/www transmissions (ie for all intents and purposes, its how you connect to the net, although of course it's a lot more complicated than that). Port 27374, however, is distinctly suspicious; first of all, it is in the registered port range, and although other services (like MSN) use these, let's assume that you have nothing at all running like instant messengers, webpages etc....you're simply connected to the net through proxy. So, now this connection is looking even more troublesome, and when you realise that 27374 is a common port for Netbus (a potentially destructive Trojan), you can see that something is untoward here. So, what you would do is:
QUOTE 1) run Netstat , and use: Netstat -a then Netstat -an So you have both Hostnames AND IP addresses.

## Tracerouting ## Having the attacker's IP is all well and good, but what can you do with it? The answer is, a lot more! It's not enough to have the address, you also need to know where the attacker's connections are coming from. You may have used automated tracerouting tools before, but do you jknow how they work? Go back to MSDOS and type
QUOTE tracert *type IP address/Hostname here*

Now, what happens is, the Traceroute will show you all the computers inbetween you and the target machine, including blockages, firewalls etc. More often than not, the hostname address listed before the final one will belong to the Hacker's ISP Company. It'll either say who the ISP is somewhere in there, or else you run a second trace on the new IP/hostname address to see who the ISP Company in question is. If the Hostname that you get back doesn't actually seem to mention an actual

geographical location within its text, you may think all is lost. But fear not! Suppose you get a hostname such as http://www.haha.com Well, that tells us nothing, right? Wrong....simply enter the hostname in your browser, and though many times you will get nothing back, sometimes it will resolve to an ISP, and from there you can easily find out its location and in what areas they operate. This at least gives you a firm geographical location to carry out your investigations in. If you STILL have nothing, as a last resort you COULD try connecting to your target's ISP's port 13 by Telnet, which will tell you how many hours ahead or behind this ISP is of GMT, thus giving you a geographical trace based on the time mentioned (although bear in mind, the ISP may be doing something stupid like not having their clocks set correctly, giving you a misleading trace. Similarly, a common tactic of Hackers is to deliberately have their computer's clock set to a totally wrong time, so as to throw you off the scent). Also, unless you know what you're doing, I wouldn't advise using Telnet (which is outside the parameters of this tutorial). ## Reverse DNS Query ## This is probably the most effective way of running a trace on somebody. If ever you're in a chatroom and you see someone saying that they've "hacked into a satellite orbiting the Earth, and are taking pictures of your house right now", ignore them because that's just bad movie nonsense. THIS method is the way to go, with regard to finding out what country (even maybe what State/City etc) someone resides, although it's actually almost impossible to find an EXACT geographical location without actually breaking into your ISP's Head Office and running off with the safe. To run an rDNS query, simply go back to MS-DOS and type netstat and hit return. Any active connections will resolve to hostnames rather than a numerical format. # DNS DNS stands for Domain Name Server. These are machines connected to the Internet whose job it is to keep track of the IP Addresses and Domain Names of other machines. When called upon, they take the ASCII Domain Name and convert it to the relevant numeric IP Address. A DNS search translates a hostname into an IP address....which is why we can enter "www.Hotmail.com" and get the website to come up, instead of having to actually remember Hotmail's IP address and enter that instead. Well, Reverse DNS, of course, translates the IP Address into a Hostname (ie - in letters and words instead of numbers, because sometimes the Hacker will employ various methods to stop Netstat from picking up a correct Hostname).

So, for example, 298.12.87.32 is NOT a Hostname. mail6.bol.net.au IS a Hostname. Anyway, see the section at the end? (au) means the target lives in Australia. Most (if not all) hostnames end in a specific Country Code, thus narrowing down your search even further. If you know your target's Email Address (ie they foolishly sent you a hate mail, but were silly enough to use a valid email address) but nothing else, then you can use the Country codes to deduce where they're from as well. You can also deduce the IP address of the sender by looking at the emails header (a "hidden" line of code which contains information on the sender)...on Hotmail for example, go to Preferences, and select the "Full Header's Visible" option. Alternatively, you can run a "Finger" Trace on the email address, at: www.samspade.org Plus, some ISP's include their name in your Email Address with them too (ie Wanadoo, Supanet etc), and your Hacker may be using an email account that's been provided by a Website hosting company, meaning this would probably have the website host's name in the email address (ie Webspawners). So, you could use the information gleaned to maybe even hunt down their website (then you could run a website check as mentioned previously) or report abuse of that Website Provider's Email account (and thus, the Website that it goes with) to abuse@companynamegoeshere.com If your Hacker happens to reside in the USA, go to: www.usps.gov/ncsc/lookups/abbr_state.txt for a complete list of US State abbreviatons. ## List of Ports commonly used by Trojans ## Please note that this isn't a complete list by any means, but it will give you an idea of what to look out for in Netstat. Be aware that some of the lower Ports may well be running valid services. UDP: 1349 Back Ofrice DLL 31337 BackOfrice 1.20 31338 DeepBO 54321 BackOfrice 2000

TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash 23 Tiny Telnet Server

25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30 31 Hackers Paradise 80 Executor 456 Hackers Paradise 555 Ini-Killer, Phase Zero, Stealth Spy 666 Satanz Backdoor 1001 Silencer, WebEx 1011 Doly Trojan 1170 Psyber Stream Server, Voice 1234 Ultors Trojan 1243 SubSeven 1.0 - 1.8 1245 VooDoo Doll 1492 FTP99CMP 1600 Shivka-Burka 1807 SpySender 1981 Shockrave 1999 BackDoor 1.00-1.03 2001 Trojan Cow 2023 Ripper 2115 Bugs 2140 Deep Throat, The Invasor 2801 Phineas Phucker 3024 WinCrash 3129 Masters Paradise 3150 Deep Throat, The Invasor 3700 Portal of Doom 4092 WinCrash 4567 File Nail 1 4590 ICQTrojan 5000 Bubbel 5000 Sockets de Troie 5001 Sockets de Troie 5321 Firehotcker 5400 Blade Runner 0.80 Alpha 5401 Blade Runner 0.80 Alpha 5402 Blade Runner 0.80 Alpha 5400 Blade Runner 5401 Blade Runner 5402 Blade Runner 5569 Robo-Hack 5742 WinCrash 6670 DeepThroat 6771 DeepThroat

6969 GateCrasher, Priority 7000 Remote Grab 7300 NetMonitor 7301 NetMonitor 7306 NetMonitor 7307 NetMonitor 7308 NetMonitor 7789 ICKiller 8787 BackOfrice 2000 9872 Portal of Doom 9873 Portal of Doom 9874 Portal of Doom 9875 Portal of Doom 9989 iNi-Killer 10067 Portal of Doom 10167 Portal of Doom 10607 Coma 1.0.9 11000 Senna Spy 11223 Progenic trojan 12223 Hack99 KeyLogger 12345 GabanBus, NetBus 12346 GabanBus, NetBus 12361 Whack-a-mole 12362 Whack-a-mole 16969 Priority 20001 Millennium 20034 NetBus 2.0, Beta-NetBus 2.01 21544 GirlFriend 1.0, Beta-1.35 22222 Prosiak 23456 Evil FTP, Ugly FTP 26274 Delta 30100 NetSphere 1.27a 30101 NetSphere 1.27a 30102 NetSphere 1.27a 31337 Back Orifice 31338 Back Orifice, DeepBO 31339 NetSpy DK 31666 BOWhack 33333 Prosiak 34324 BigGluck, TN 40412 The Spy 40421 Masters Paradise 40422 Masters Paradise 40423 Masters Paradise

40426 Masters Paradise 47262 Delta 50505 Sockets de Troie 50766 Fore 53001 Remote Windows Shutdown 54321 SchoolBus .69-1.11 61466 Telecommando 65000 Devil

## Summary ## I hope this tutorial is useful in showing you both how to secure yourself against unwanted connections, and also how to determine an attacker's identity. The Internet is by no means as anonymous as some people think it is, and although this is to the detriment of people's security online, this also works both ways....it IS possible to find and stop even the most determined of attackers, you just have to be patient and keep hunting for clues which will help you put an end to their exploits. > Tracing a hacker > Written by: Paperghost [paperghost@vitalsecurity.org] > http://www.vitalsecurity.org > Loyalty and Protection for All our Families > 24/02/2005

How to remove a Trojan, Virus, Worm, or other Malware

By Lawrence Abrams on May 18, 2005 @ 05:41 PM (Views: 3,308,893)

Add to Favorites!
Share 37

Print Tutorial!

inShare

Table of Contents 1. 2. Diallers, Trojans, Viruses, Worms Oh My! How these infections start

3. 4. 5. 6.

Use an anti-virus and anti-malware program to remove the infections How to remove these infections manually How to protect yourself in the future Conclusion

Ads by Google Premium DDoS Protection www.nexusguard.com Multi-GB, Application Layer, Fast ! Professional Managed Anti-DDos
Dialers, Trojans, Viruses, and Worms Oh My! If you use a computer, read the newspaper, or watch the news, you will know about computer viruses or other malware. These are those malicious programs that once they infect your machine will start causing havoc on your computer. What many people do not know is that there are many different types of infections that are categorized in the general category of Malware. Malware - Malware is programming or files that are developed for the purpose of doing harm. Thus, malware includes computer viruses, worms, Trojan horses, spyware, hijackers, and certain type of adware. This article will focus on those malware that are considered viruses, trojans, worms, and viruses, though this information can be used to remove the other types of malware as well. We will not go into specific details about any one particular infection, but rather provide a broad overview of how these infections can be removed. For the most part these instructions should allow you to remove a good deal of infections, but there are some that need special steps to be removed and these won't be covered under this tutorial. Before we continue it is important to understand the generic malware terms that you will be reading about. Adware - A program that generates pop-ups on your computer or displays advertisements. It is important to note that not all adware programs are necessarily considered malware. There are many legitimate programs that are given for free that display ads in their programs in order to generate revenue. As long as this information is provided up front then they are generally not considered malware. Backdoor - A program that allows a remote user to execute commands and tasks on your computer without your permission. These types of programs are typically used to launch attacks on other computers, distribute copyrighted software or media, or hack other computers. Dialler - A program that typically dials a premium rate number that has per minute charges over and above the typical call charge. These calls are with the intent of gaining access to pornographic material. Hijackers - A program that attempts to hijack certain Internet functions like redirecting your start page to the hijacker's own start page, redirecting search queries to a undesired search engine, or replace search results from popular search engines with their own information. Spyware - A program that monitors your activity or information on your computer and sends that information to a remote computer without your knowledge. Trojan - A program that has been designed to appear innocent but has been intentionally designed to cause some malicious activity or to provide a backdoor to your system. Virus - A program that when run, has the ability to self-replicate by infecting other programs and files on your computer. These programs can have many effects ranging from wiping your hard drive, displaying a joke in a small box, or doing nothing at all except to replicate itself. These types of infections tend to be localized to your computer and not have the ability to spread to another computer on their own. The word virus has incorrectly become a general term that encompasses trojans, worms, and viruses.

Worm - A program that when run, has the ability to spread to other computers on its own using either mass-mailing techniques to email addresses found on your computer or by using the Internet to infect a remote computer using known security holes.

How these infections start Just like any program, in order for the program to work, it must be started. Malware programs are no different in this respect and must be started in some fashion in order to do what they were designed to do. For the most part these infections run by creating a configuration entry in the Windows Registry in order to make these programs start when your computer starts. Unfortunately, though, in the Windows operating system there are many different ways to make a program start which can make it difficult for the average computer user to find manually. Luckily for us, though, there are programs that allow us to cut through this confusion and see the various programs that are automatically starting when windows boots. The program we recommend for this, because its free and detailed, is Autoruns from Sysinternals. When you run this program it will list all the various programs that start when your computer is booted into Windows. For the most part, the majority of these programs are safe and should be left alone unless you know what you are doing or know you do not need them to run at startup. At this point, you should download Autoruns and try it out. Just run the Autoruns.exe and look at all the programs that start automatically. Don't uncheck or delete anything at this point. Just examine the information to see an overview of the amount of programs that are starting automatically. When you feel comfortable with what you are seeing, move on to the next section. Use an anti-virus and anti-malware program to remove the infections Make sure you are using an anti-virus program and that the anti-virus program is updated to use the latest definitions. If you do not currently have an anti-virus installed, you can select one from the following list and use it to scan and clean your computer. The list below includes both free and commercial anti-virus programs, but even the commercial ones typically have a trial period in which you can scan and clean your computer before you have to pay for it.

Kaspersky Anti-virus ESET Nod32 AVG Avast BitDefender Microsoft Security Essentials Trend Micro Antivir

It is also advised that you install and scan your computer with MalwareBytes' Anti-Malware and SUPERAntiSpyware. Both of these are excellent programs and have a good track record at finding newer infections that the more traditional anti-virus programs miss. Guides on how to install and use these programs can be found below. How to use Malwarebytes' Anti-Malware to scan and remove malware from your computer How to use SUPERAntiSpyware to scan and remove malware from your computer After performing these instructions if you still are infected, you can use the instructions below to manually remove the infection.

How to remove these infections manually We have finally arrived at the section you came here for. You are most likely reading this tutorial because you are infected with some sort of malware and want to remove it. With this knowledge that you are infected, it is also assumed that you examined the programs running on your computer and found one that does not look right. You did further research by checking that program against our Startup Database or by searching in Google and have learned that it is an infection and you now want to remove it. If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps. 1. 2. Download and extract the Autoruns program by Sysinternals to C:\Autoruns Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe. When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options. 1. 2. 3. 5. 6. Include empty locations Verify Code Signatures Hide Signed Microsoft Entries

3. 4.

Then press the F5 key on your keyboard to refresh the startups list using these new settings. The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our computer help forums. Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry. Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden. To allow you to see hidden files you can follow the steps for your operating system found in this tutorial: How to see hidden files in Windows

7.

8.

9.

When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode as you will now be clean from the infection.

How to protect yourself in the future In order to protect yourself from this happening again it is important that take proper care and precautions when using your computer. Make sure you have updated antivirus and spyware removal software running,

all the latest updates to your operating system, a firewall, and only open attachments or click on pop-ups that you know are safe. These precautions can be a tutorial unto itself, and luckily, we have one created already: Simple and easy ways to keep your computer safe and secure on the Internet Please read this tutorial and follow the steps listed in order to be safe on the Internet. Other tutorials that are important to read in order to protect your computer are listed below. Understanding Spyware, Browser Hijackers, and Dialers Understanding and Using a Firewall Safely Connecting a Computer to the Internet Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware Using IE-Spyad to enhance your privacy and Security

Conclusion Now that you know how to remove a generic malware from your computer, it should help you stay relatively clean from infection. Unfortunately there are a lot of malware that makes it very difficult to remove and these steps will not help you with those particular infections. In situations like that where you need extra help, do not hesitate to ask for help in our computer help forums. We also have a self-help section that contains detailed fixes on some of the more common infections that may be able to help. This self-help section can be found here: Virus, Spyware, Malware Removal Guides

Share 37

inShare

Created: May 18th, 2005 at 05:41 pm

This article is published and created for http://www.bleepingcomputer.com, otherwise known as Bleeping Computer, and is covered by all copyright laws. All articles on this website are copyright 2003-2012 by Bleeping Computer, LLC. All right reserved. Use of these articles is limited to viewing and printing for personal use only. If you would like to use this material or portions of this material for other purposes you must receive explicit permission from Bleeping Computer before reprinting or redistributing this article in any medium.

IP Addresses Explained By Lawrence Abrams on March 24, 2004 @ 04:54 AM (Views: 233,301)

Add to Favorites!

Print Tutorial!

Share11

Ads by Google 6-Core 4-Way SuperServers Supermicro.com/ComputerSystem Energy-efficient Supermicro Server! Featuring Intel Xeon Processors

Introduction Every machine on the the Internet has a unique number assigned to it, called an IP address. Without a unique IP address on your machine, you will not be able to communicate with other devices, users, and computers on the Internet. You can look at your IP address as if it were a telephone number, each one being unique and used to identify a way to reach you and only you. IPv4 and IPv6 Addresses There are two flavors of IP Addresses that can be used on a network. The first, and the version that the Internet and most routers are currently configured for, is IPv4 or Internet Protocol version 4. This version uses 32-bit addresses, which limits the amount of addresses to 4,294,967,296 possible unique addresses. Some of these addresses, about 290 million, are also reserved for special purposes. Due to the popular growth of the Internet there has been concern that the pool of possible addresses would be exhausted in the near future. With this in mind, a new version of IP addresses was developed called IPv6, or Internet Protocol version 6, that would change the address size from 32-bit address to 128-bit addresses. This change would allow for generous IP address allocations to networks without any foreseeable problem with the amount of addresses available. In order to use IPv6 addresses, though, existing routers and hardware would need to be upgraded or configured to use this new version of IP addresses. As IPv4 is still the most commonly used, this tutorial will be focusing on that version of IP addresses. The Address Itself An IP address always consists of 4 numbers separated by periods, with the numbers having a possible range of 0 through 255. An example of how an IP address appears is: 192.168.1.10 This representation of an IP address is called decimal notation and is what is generally used by humans to refer to an IP address for readability purposes. With the ranges for each number being between 0 and 255 there are a total 4,294,967,296 possible IP addresses. Out of these addresses there are 3 special ranged that are reserved for special purposes. The first is the 0.0.0.0 address and refers to the default network and the 255.255.255.255 address which is called the broadcast address. These addresses are used for routing, which

will not be covered in this tutorial. The third address, 127.0.0.1, is the loopback address, and refers to your machine. Whenever you see, 127.0.0.1, you are actually referring to your own machine. That means if you clicked on this link, http://127.0.0.1, you are actually trying to connect to your own computer, and unless you have a web server running, you will get a connection error. There are some guidelines to to how IP address can appear, though. The four numbers must be between 0 and 255, and the IP address of 0.0.0.0 and 255.255.255.255 are reserved, and are not considered usable IP addresses. IP addresses must be unique for each computer connected to a network. That means that if you have two computers on your network, each must have a different IP address to be able to communicate with each other. If by accident the same IP address is assigned to two computers, then those computers would have what is called an "IP Conflict" and not be able to communicate with each other. IP address classes These IP addresses can further be broken down into classes. These classes are A, B, C, D, E and their possible ranges can be seen in Figure 2 below.
Class A B C D E Start address 0.0.0.0 128.0.0.0 192.0.0.0 224.0.0.0 240.0.0.0 Finish address 126.255.255.255 191.255.255.255 223.255.255.255 239.255.255.255 255.255.255.255

Figure 2. IP address Classes If you look at the table you may notice something strange. The range of IP address from Class A to Class B skips the 127.0.0.0-127.255.255.255 range. That is because this range is reserved for the special addresses called Loopback addresses that have already been discussed above. The rest of classes are allocated to companies and organizations based upon the amount of IP addresses that they may need. Listed below are descriptions of the IP classes and the organizations that will typically receive that type of allocation. Default Network: The special network 0.0.0.0 is generally used for routing. Class A: From the table above you see that there are 126 class A networks. These networks consist of 16,777,214 possible IP addresses that can be assigned to devices and computers. This type of allocation is generally given to very large networks such as multinational companies. Loopback: This is the special 127.0.0.0 network that is reserved as a loopback to your own computer. These addresses are used for testing and debugging of your programs or

hardware. Class B: This class consists of 16,384 individual networks, each allocation consisting of 65,534 possible IP addresses. These blocks are generally allocated to Internet Service Providers and large networks, like a college or major hospital. Class C: There is a total of 2,097,152 Class C networks available, with each network consisting of 255 individual IP addresses. This type of class is generally given to small to mid-sized companies. Class D: The IP addresses in this class are reserved for a service called Multicast. Class E: The IP addresses in this class are reserved for experimental use. Broadcast: This is the special network of 255.255.255.255, and is used for broadcasting messages to the entire network that your computer resides on. Private Addresses There are also blocks of IP addresses that are set aside for internal private use for computers not directly connected to the Internet. These IP addresses are not supposed to be routed through the Internet, and most service providers will block the attempt to do so. These IP addresses are used for internal use by company or home networks that need to use TCP/IP but do not want to be directly visible on the Internet. These IP ranges are:
Class A B C Private Start Address 10.0.0.0 172.16.0.0 192.168.0.0 Private End Address 10.255.255.255 172.31.255.255 192.168.255.255

If you are on a home/office private network and want to use TCP/IP, you should assign your computers/devices IP addresses from one of these three ranges. That way your router/firewall would be the only device with a true IP address which makes your network more secure. Common Problems and Resolutions The most common problem people have is by accident assigning an IP address to a device on your network that is already assigned to another device. When this happens, the other computers will not know which device should get the information, and you can experience erratic behavior. On most operating systems and devices, if there are two devices on the local network that have the same IP address, it will generally give you a "IP Conflict" warning. If you see this warning, that means that the device giving the warning, detected another device on the network using the same address. The best solution to avoid a problem like this is to use a service called DHCP that almost all home routers provide. DHCP, or Dynamic Host Configuration Protocol, is a service that assigns addresses to devices and computers. You tell the DHCP server what range of IP addresses you would like it to assign, and then the DHCP server takes the responsibility of assigning those IP addresses to the various devices and keeping track so those IP addresses are assigned only once.

Conclusion IP addresses and their function on the Internet is an important concept to understand. Hopefully with this tutorial you will have a firmer grasp on this concept, which should help you troubleshoot problems and bring a better understanding of how the Internet works. -Lawrence Abrams Bleeping Computer Basic Internet Concepts Tutorial Series BleepingComputer.com: Computer Support & Tutorials for the beginning computer user.