How to remove malware from your PC- Step by step process. . .


Malware, short for malicious software, is software designed to secretly access a computer system without the owner's informed consent. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

The best-known types of malware, viruses and worms, are known for the manner in which they spread, rather than any other particular behavior. The term computer virus is used for a program that has infected some executable software and that causes that when run, spread the virus to other executables. Viruses may also contain a payload that performs other actions, often malicious. A worm, on the other hand, is a program that actively transmits itself over a network to infect other computers. It too may carry a payload.

These definitions lead to the observation that a virus requires user intervention to spread, whereas a worm spreads itself automatically. Using this distinction, infections transmitted by email or Microsoft Word documents, which rely on the recipient opening a file or email to infect the system, would be classified as viruses rather than worms.

In my experience, malware is one of the most common and annoying issues a PC owner has to combat. Fortunately with a handful of free tools it’s easy to keep malware in check. Here’s how I do it with free tools.

1. RUN CCLEANER
Get Ccleaner and install it. It’s free. The purpose of Ccleaner is basically to tidy up your computer so the next two tools have fewer files to scan and can then finish their scans MUCH faster. So open Ccleaner and then look at the following screenshot:

When you’re in the “Cleaner” tab click “Run Cleaner.” Then click it a couple more times and make sure that your result is the same as mine in the above screenshot. You want it to remove some stuff the first one or two times you run the cleaner, but after that you don’t want there to be anything to remove. If you find after each successive cleaning that Ccleaner continues to find things to remove, you can bet you’ve got at least some kind of malware.

Now go to the “Registry” tab and then “scan for issues.” Fix those issues, but be sure to save a backup of that registry file somewhere in case you accidentally remove a registry value that was important to system function.
Next go to the “Tools” tab and select the “Uninstall” button. Ccleaner does a great job of uninstalling programs and with this tool you’ll be able to uninstall all those applications you don’t need. So get rid of the MSN Toolbar as well as any program that looks phony. My rule of thumb for people who don’t know what programs they should keep is “if it looks legit, it probably is.” “Innocent until proven guilty” is another good rule of thumb. Uninstall what you don’t use now.

2. RUN MALWAYREBYTES
Get Malwarebytes, it is a phenomenal application that removes a lot of malware from your computer. You really don’t need any screenshots of this application to understand how it works. You open the program, select “quick scan” and away you go. It really does a great job of walking you through the process.

Note that while Malwarebytes does dectect and remove malware from your PC, it does not provide real-time protection. As a matter of fact there really isn’t any application, paid or free, that provides good real-time protection from malware (you can quote me on that one). To get rid of malware you’re really going to just have to run this program from time to time.

3. RUN SUPER ANTISPYWARE
Get Super Antispyware (get the free version). This application does much the same thing as Malwarebytes, but by using two applications the chances of a piece of malware slipping by are slim. When you run Super Antispyware for the first time it’s going to ask you a bunch of questions, choose whichever answer you want, you’re not going to affect anything crucial no matter how you answer.

Go ahead and click “Scan your computer” and then select “Perform quick scan.” Super Antispyware will likely take longer to finish than anything else you’ve done so far, so expect that. When it’s done scanning you’re going to see this screen:

Of course, it may have found more pieces of malware than it did on my PC, but note that at this point it’s just telling you that in scanning, it has found these things. To remove them from your computer you have to now click the “Next” button.

4. RUN CCLEANER AGAIN
Now that you’ve run your Malwarebytes and Super Antispyware fire up Ccleaner one last time. Clean the registry as well as your temporary internet files again, just like you did in step #1. This makes sure that there are no straggling thingies hanging around your registry and such. Now would also be a good time to look in Ccleaner under the “Startup” menu and remove any suspicious things which are trying to start themselves each time you fire up your computer.

Note that it takes some time to recognize at a glance what you need and what you don’t need in the startup menu. If you have any doubt as to what a program does in your start menu, use Google before you remove it.
Posted by No comments:

SMB(Server Message Block) Hacking tools

SMBGrind increases the speed of LOphtcrack sessions on sniffer dumps by removing duplication and providing a facility to target specific users without having to edit the dump files manually.
One way of increasing the speed of LOphtCrack sessions on sniffer dumps is to remove duplication and provide a facility to target specific users without having to edit the dump files manually. Therefore password cracking becomes a time-consuming laborious process unless it is targeted towards particular passwords.
If an attacker can force a NetBIOS connection from its target it can retrieve the user authentication information of the currently logged in user. On its part SMB protocol uses a challenge-response method of authentication to prevent replay attacks and complicate cracking. The challenge is eight bytes of randomly generated data which the client encrypts using the password as an encryption key. If this can be obtained, the session can be hijacked as well. But this is not always easy.
SMBGrind is a tool that seeks to solve this problem and make password cracking by LOphtCrack faster. It removes duplicates and saves the file to disk so that the attacker can e-mail the filtered file directly from within SMB Grinder via the File-Send menu option.
Hacking Tool: SMBDie
SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially crafted SMB request
SMBDie is another tool that takes advantage of the implementation of a protocol by a vendor. The vulnerability results because of a flaw in the way Microsoft's implementation of SMB receives a packet requesting the SMB service. Two SMB exploit programs - SMBDie and smbnuke exploit the vulnerability the same way.
An attacker can launch a denial of service by establishing a valid SMB session to a Windows NT/2000/XP system, and then sending a specially crafted transaction packet to request the NetServerEnum2, NetServerEnum3 or NetShareEnum functions. In the SMB transaction packet, if either or both of "Max Param Count" and "Max Data Count" values are equal to zero, then the server miscalculates the length of the first buffer. This causes the next chunk in the heap to be overwritten. Once the first buffer is released then the heap will be in an inconsistent state and will cause a blue screen of death. The attacker can use both a user account and anonymous access to accomplish this.
Any machine on the network including systems that are connected via VPN can launch this attack. All that an attacker needs is the IP address and NetBIOS name of the target system. The attack registers an entry in the system log when it is successful but does not indicate the source of the attack. Countermeasures include blocking access to SMB ports from untrusted networks. By blocking TCP ports 445 and 139 at the network perimeter, administrators can prevent the attack from untrusted parties. Additionally, the LAN man server service can be stopped which prevents the attack, but again may not be suitable on a file and print sharing server.
Hacking Tool: NBTDeputy
  • NBTDeputy register a NetBIOS computer name on the networkand is ready to respond to NetBT name-query requests.
  • NBT deputy helps to resolve IP address from NetBIOS computer name. It's similar to Proxy ARP.
  • This tool works well with SMBRelay.
  • For example, SMBRelay runs on a computer as ANONYMOUS-ONE and the IP address is 192.168.1.10 and NBT Deputy is also ran and 192.168.1.10 is specified. SMBRelay may connect to any XP or .NET server when the logon users access "My Network Places"
There are certain pre-requisites for NBTdeputy to be effective. NetBIOS over TCP/IP must be disabled as NBTdeputy uses port 137 and 138. The user must specify a unique computer name on the LAN because NBTdeputy does not check for existing computer names. The user must also specify an existing Workgroup on LAN as NBTdeputy does not become the Master Browser. NBTdeputy must exist on the same LAN as the targeted XP and .Net Server machines.
NetBIOS DoS Attack
  • Sending a 'NetBIOS Name Release' message to the NetBIOS Name Service (NBNS, UDP 137) on a target NT/2000 machine forces it to place its name in conflict so that the system will no longer will be able to use it.
  • This will block the client from participating in the NetBIOS network.
  • Tool: nbname
    • NBName can disable entire LANs and prevent machines from rejoining them.
    • Nodes on a NetBIOS network infected by the tool will think that their names already are being used by other machines.
NetBIOS is a set of defined software interfaces for vendor-independent PC networking and is primarily used on Microsoft Windows computers. The NetBIOS Name Service (NBNS) provides a means for hostname and address mapping on a NetBIOS-aware network. In Microsoft's implementation of the NBNS Name Server (Microsoft WINS Server) they mapped group names to the single IP address 255.255.255.255 (the limited broadcast address). In order to support real group names, Microsoft modified WINS to provide support for special groups. These groups appear differently in WINS. However, since an authentication mechanism has not been defined for NetBIOS running over TCP/IP protocol, all systems running NetBIOS services are vulnerable to spoofing attacks.
For instance, an attacker can send spoofed "Name Release" or "Name Conflict" messages to a target machine and force the target machine to remove its real name from its name table (as seen with nbtstat) and not respond to other NetBIOS requests. This results in a denial of service as the legitimate machine is not able to communicate with other NetBIOS hosts.
NBName is a tool written by Sir Dystic of the Cult of Dead Cow. It decodes and displays all NetBIOS name packets it receives on UDP port 137.
Using the /DENY * command line option it will respond negatively to all NetBIOS name registration packets it receives.
Using the /CONFLICT command line option it will send a name release request for each name that is not already in conflict to machines it receives an adapter status response from.
The /FINDALL command line option causes a wildcard name query request to be broadcast at startup and each machine that responds to the name query is sent an adapter status request.
The /ASTAT command line option causes an adapter status request to be sent to the specified IP address, which doesn't have to be on the local network.
Using /FINDALL /CONFLICT /DENY * will disable entire local NetBIOS network and prevent machines from rejoining it. Nodes on a NetBIOS network infected by the tool will think that their names already are being used.
Posted by 2 comments:
Subscribe to: Posts (Atom)