Now the first thing to do is to secure your PC, for such a thing
do the following steps :
DO NOT EVER test any
file that you got from the net or from any other person in the PC that you are using for browsing the
Internet
Always update your Anti-virus or if you want you can
use an updated scanning site for Viruses and Trojans, try this link (it's Free) ... http://housecall.antivirus.com and click on Scan Now, and once you get the names of the hacking files if any, just write them in a piece
of paper
Check your PC if there is any hack file in it : for
example, search for any of these files (after you allow the hidden
and system files to appear) Click Here and if you found any of them then read the rest of this
page.
Right click on the Network Neighborhood icon and choose
properties, then remove the last icon (file and printer sharing)
Do not install any protocol that you don't really use
When you finish browsing the Internet close the Internet
Explorer, then right click on the Internet Explorer
icon that is located on the desktop and choose properties ,,,
in the General tab click the "Delete Files" button then check the
"Delete all offline content" check-box and click OK ... (also click
on the "Delete Cookies" button if you have it) ...
Remove the AutoComplete option from your browser, and regarding
the cookies, it is better to go to tools, Internet Options,
and in the security tab click on Custom level and choose (prompt) for
both cookies options.
If you are using the netstat.exe then it is recomended that
you rename it to any other name and use the new named
file.
Always delete the files from C:\Temp and C:\Windows\Temp folders.
Try your best to use the "Windows Update" always.
Some Hacking files or viruses don't allow you to run any application, in
that case you have to run this file to fix this problem : Undo.reg.
Do NOT check any "Save password" check box.
Try NOT to keep the FTP connections in your PC.
You also have to know that many sites are not trusted, so don't
feel that free in downloading any file from the Internet.
Make your password as long as you can, and make sure that you
include some upper case letters and some numbers in it.
Go to the file (system.ini)
and open it, in the fifth line you will find : shell=Explorer.exe. But if you have been hacked ... it will be shell=Explorer.exe xxxx.xxx, where xxxx.xxx is any file name, so modify it to be only : shell=Explorer.exe and save the file.
Go to the control panel and go to add/remove programs : if you
found a (Memory Manager 3.0)
THEN UNINSTALL IT ... don't think that it is a
program .
Go to the file (Autoexec.bat)
and right click on it and choose Edit, if you
found these two lines in it, then remove them and
save the file :
1. @echo off copy c:\sys.lon c:\windows\startm~1\programs\startup\mdm.exe
2. del c:\win.reg
DON'T DELETE THE WRONG FILE, IF
YOU ARE NOT SURE ABOUT THE FILE THEN LEAVE IT
These files can be located in any place of your hard disk /
.exe (it is space dot exe)
aim reminder.exe
bf evolution.exe
brainspy .exe (notice the space before
the .exe)
cyber takeover.exe
dead bolt.exe
ds3-mini.exe
electric chair.exe
en-cid12.*
fs-backup.exe
hit it.exe
icq login.exe
light up the night.exe
loveday14*.hta
malicious cleaner.exe
microsft internet explorer.hta
news doc.exe
nude pussy.exe
poison gas.exe
port 5000.exe
pretty park.exe
Ram bridge optimizer.exe
recycle-bin.exe
robo-*.exe
rrlf-info.exe
ruler1-3.exe
sanctuary-sys33.exe
self extract.exe
serv-u32.exe
server 1.2.exe (there is a space after
server) ...
sexy virgin.scr
south park.exe
the revenger.exe
truva atl.exe
very malicious.exe
weia-meia.exe
These files are located in these
locations ... follow the path ... the name might be WINNT
instead of WINDOWS ... and SYSTEM32 instead of SYSTEM ... (search for
these files in the active partition if it was not C in your PC) ... if
you found any of them remember its location ... it is better to uncheck
the "Hide file extentions for know file type" from the folder options ...
C:\explorer.exe
C:\command.exe
C:\CONFIGG.SYS
C:\default.ini
C:\DivX\ (delete this folder but make sure that it is not used by another program)
C:\DMSETUP.EXE
C:\iecookie.exe
C:\k2vl.exe
C:\MIRC.INI
C:\MIRC\BACKUP0412.INI
C:\MIRC\DMSETUP.EXE
C:\MIRC\MIRCREM.INI
C:\msdos98.exe
C:\msie5.exe
C:\mstask.exe
C:\os32779.sys
C:\PROGRAM FILES\DMSETUP.EXE
C:\Program Files\ik\ik.exe
C:\Program Files\Internet Explorer\_.exe
C:\Program Files\Internet Explorer\_.ini
C:\Program Files\Mdm.exe
C:\Program files\msgsrv36.exe
C:\Program Files\MStesk.exe
C:\recycled\temp.exe
C:\recycled\winkernel.exe
C:\sesame\ (delete this folder if you found it)
C:\something\something.exe
C:\sys.lon
C:\system.dup
C:\TEMPSERVER.exe
C:\WINDOWS\...\Programs\StartUp\DeskManager.exe
C:\WINDOWS\command\drvspace.bat
C:\WINDOWS\command\msdos.sys
C:\WINDOWS\DMSETUP.EXE
C:\windows\fonts\ariel.exe
C:\windows\fonts\fonts\ (delete this folder ... fonts that is inside fonts)
C:\WINDOWS\DMSETUP.EXE
C:\windows\inf\regcle32.exe
C:\windows\start menu\programs\startup\mdm.exe
C:\WINDOWS\Start Menu\Programs\Startup\mstesk.exe
C:\WINDOWS\SYSTEM\BRAINSPY .EXE (there is a space before the .EXE)
C:\Windows\System\WSOCK32.SKA (IF you found this file then delete WSOCK32.DLL and rename this one from WSOCK32.SKA to WSOCK32.DLL)
C:\windows\temp\pkg*.exe (like pkg1221.exe or
pkg2342.exe ... etc.)
C:\WINDOWS\TEMP\UNINST.DLL
C:\windows\y.bat (the y is having two dots over
it)
C:\Windows\$TEMP\ (delete this folder if you found it)
Find the file sysedit.exe
... if you found it about 100 KB
then delete it directly ... and replace it from the
Windows CD or from any other non hacked PC ...
Go to the C:\Windows\System\systray.exe
... if you found it about 300 KB
then delete it directly ... and replace it from the
Windows CD or from any other non hacked PC ...
Now ... let us
check your Registry
Click (Start) and choose (Run) and type (regedit)
and click (OK) ...
Click on the + sign that is next to HKEY_LOCAL_MACHINE so that you
will get some other subfolders ... anyway ... go to this folder ...
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Now click on a subfolder called (Run)
... in the right screen you will find two main columns ... Name and
Data ...
In the Data section if you only see "" then right click
on the related name and choose (Delete)
If you found any of these Click Here then delete them.
Also if you found this directory
HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\VxD\VMLDIR\
then delete these items in it ...
StaticVxD = "vmldir.vxd"
StaticVxD = "intld.vxd"
Go to this directory
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\
or
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders\
there is an item called "Common Startup" ... if you found it in the format of
Common Startup = "C:\windows\sysem\(any value)
then delete it ...
If you found this directory
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\SessionManager\Known16DLLs\
delete this item in it ...
wsasrv.exe = "wsasrv.exe"
Go to this directory
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Policies\
Click on the (System)
folder and see if you can find this key ...
DisableRegistryTools = "1"
right click on this key and choose delete ...
Next, click on the (Explorer)
folder and look at the right hand side ... There are 4 items there
which need to be deleted ... they are:
NoRun
NoFind
NoDesktop
NoClose
Go to this directory
HKEY_LOCAL_MACHINE\SOFTWARE
On the left hand side, look for a folder titled (RBO)
... this is the folder that holds all of your systems passwords which
the trojan grabbed, as well as the data the keylogger saved.
Right click on the folder (RBO)
and choose delete ...
If you found this directory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
In the (LanMan) folder
if you see one letter for each drive you have filesharing turned on
for ... Right click on each drive one at a time in the left hand panel
and choose delete ...
One of the hacking programs (Netbus 2.1) hides itself in another
location of the registry : check if you found this directory :
HKEY_LOCAL_MACHINE\SOFTWARE\UltraAccess
Networks\NetBus Server\General
or
HKEY_CURRENT_USER\NetBus
Server\General
or
HKEY_CURRENT_USER\NetBus
or
HKEY_CURRENT_USER\NetRex
Server\General
or
HKEY_CURRENT_USER\NetRex
if you found it then go to the folder or key (Visability)
and change the value of it from "2" or "3"
or any other thing to "1" ... then close regedit and
restart your computer ... When windows restarts you should see the
Netbus Server window (not hidden anymore) with a Settings and Close
button ... Click the Settings button and turn off the item labeled "Load
at startup automatically".
Now restart your PC in the (Safe Mode)
and delete all the files those you found here ... if you were not able to delete a file then restart your computer using the
boot disk then go to its location and delete it.
After that restart your PC : if you get a message saying that
there is a file missing from your system then just get the name of
that file and go to C:\WINDOWS\WIN.INI , open it and remove the line that contains the name
of that file, and save the file.
DONE !!!
I don't have that strong idea about the ICQ, and I don't care
about it actually. it is FULL of security bugs, no matter how
many fixes they put for it, so use it at your own risk.
Have a nice surfing and remember, don't act like a hero and
talk about how secure your system is ... the TCP/IP is full of bugs, more than 65000
ports the hackers can use to access any system. Something
else ... some hack programs are not
detected by the Anti-Virus programs,and even the firewall will not block them, so be careful.
If you like it, share it. Thank you for reading.