WHAT WOULD BE IDEAL PROTECTION OF A SYSTEM?

Password Access- Get rid of simple passwords; routinely change all passwords; regular review/monitoring of password files.

What this all means is that hackers must now rely on the ineptitude and laziness of the users of the system rather than the ignorance of SysOps. The SysOps and SecMans (Security Managers) are getting smarter and keeping up to date. Not only that, but they are monitoring the hack/phreak BBSes and publications. So the bottom line is reveal nothing to overinquisitive newbies…they may be working for the wrong side.

A (Internet) firewall is a machine which is attached (usually) between your site and a Wide Area Network (WAN). It provides
controllable filtering of network traffic, allowing restricted access to certain Internet port numbers and blocks access to pretty well everything else.

1. Don’t do damage intentionally.
2. Don’t alter files other than than to hide your presence or to remove traces of your intrusion.
3. Don’t leave any real name, handle, or phone number on any system.
4. Be careful who you share info with.
5. Don’t leave your phone number with anyone you don’t know.
6. Do NOT hack government computers.
7. Don’t use codes unless you HAVE too.
8. Be paranoid!
9. Watch what you post on boards, be as general as possible.
10. Ask questions…but do it politely and don’t expect to have everything handed to you.

1. Change parity, data length, and stop bits. The system may not respond to 8N1 (most common setting) but may respond to 7E1,8E2, 7S2, etc.
2. Change baud rates.
3. Send a series of carriage returns.
4. Send a hard break followed by a carriage return.
5. Send control characters. Work from ^a to ^z.
6. Change terminal emulation.
7. Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, GO, LOGON, JOIN, HELP, or anything else you can think off.

Common default accounts are root, admin, sysadmin, unix, uucp, rje, guest, demo, daemon, sysbin. These accounts may be unpassworded or the password may possibly be the same (i.e. username uucp has uucp as the passwd).

The password file is usually called /etc/passwd. Each line of the passwd file of a UNIX system follows the following format:

What each of these fields mean/do—

Note that all the fields are separated by colons in the passwd file.

Those mean that the password is shadowed in another file. You have to find out what file, where it is and so on. Ask somebody on your system about the specifics of the Yellow Pages system, but discretely!

Tripwire is a tool for Unix admins to use to detect password cracker activity, by checking for changed files, permissions, etc. Good for looking for trojan horses like password stealing versions of telnet/rlogin/ypcat/uucp/etc, hidden setuid files, and the like.

A SUID program is a program that when executed has the privs of the owner.
A GUID has the privs of the group when executed.

1. Someone has a SUID program on their account, it happens to allow a shell to, like @ or jump to a shell. If it does that, after you execute said file and then spawn a shell off of it, all you do in that shell has the privs of that owner.
2. If there is no way to get a shell, BUT they leave the file writable, just write over it a script that spawns a shell, and you got their privs again.

If you can get access to the ‘console’ AIX machines have a security hole where you can kill the X server and get a shell with ctrl-alt-bkspce. Also by starting an xterm up from one you are not logged in the utmp for that session because the xterms don’t do utmp logging as a default in AIX. Or try the usual UNIX tricks:

ftping /etc/passwd, tftping /etc/passwd, doing a finger and then trying each of the usernames with that username as a password.

A UNIX disk quota may be increased by finding a directory on another partition and using that. Find another user who wants more quota and create a directory for the other to use, one that is world writable.
Once they’ve put their subdirectory in it, change the perms on the directory to only read-execute. The reason this works is that
usually accounts are distributed across a couple of filesystems, and admins are usually too lazy to give users the same quotas on each filesystem. If the users are all on one filesystem, you may be able to snag some space from one of the /usr/spool directories by creating a ‘hidden’ subdirectory like .debug there, and using that.

Most x commands have a -display option which allows you to pick a terminal to send to. So if you use bitmap to create a bitmap, or download one, etc then:

Protect yourself:
If you use xhost – this will disable other people from being able to log you out or generally access your terminal.

First, you need to make sure that the decode daemon is active.
Check this by telnetting to the smtp port (usually port 25), and expanding user Decode. If it gives you something, you can use it.
If it tells you that the user doesn’t exist, or whatever, you can’t.

If the daemon is active, this is how to exploit the decode daemon:
1) uuencode an echo to .rhosts
2) pipe that into mail, to be sent to the decode daemon (What happens: the decode daemon (1st) decodes the process, but
leaves the bin priveleges resident. (2nd) the echo command is executed, because now the decoded message assumes the bin priveleges [which are *still* active, even though the daemon didn't issue the command]).
3) If this is done right, you will be able to rlogin to the sysem.

Password encryption on UNIX is based on a modified version of the DES [Data Encryption Standard]. Contrary to popular belief, the typed password is not encrypted. Rather the password is used as the key to encrypt a block of zero-valued bytes.
To begin the encryption, the first seven bits of each character in the password are extracted to form the 56-bit key. This implies
that no more than eight characters are significant in a password.
Next, the E table is modified using the salt, which is the first two characters of the encrypted password (stored in the passwd file).
The purpose of the salt is to makae it difficult to use hardware DES chips or a precomputed list of encrypted passwords to attack the algorithm. The DES algorithm (with the modified E table) is then invoked for 25 iterations on the block of zeros. The output of this encryption, which is 64 bits long, is then coerced into a 64-character alphabet (A-Z, a-z, 0-9, “.” and “/”). Because this
coersion involves translations in which several different values are represented by the same character, password encryption is essentially one-way; the result cannot be decrypted.

- futurbillgate

The computer world, at any rate. Every single time you open up a
website, send an email or upload your webpages into cyberspace, you are
connecting to another machine in order to get the job done. This, of
course, presents a major problem, because this simple act is what
allows malicious users to target a machine in the first place.

# How do these people find their victim?

Well, first of all, they need to get hold of the victim’s IP Address.
Your IP (Internet Protocol) address reveals your point of entry to the
Internet and can be used in many ways to cause your online activities
many, many problems. It may not reveal you by name, but it may be
uniquely identifiable and it represents your digital ID while you are
online (especially so if you’re on a fixed IP / DSL etc).

With an IP address, a Hacker can find out all sorts of weird and
wonderful things about their victim (as well as causing all kinds of
other trouble, the biggest two being Portnukes/Trojans and the dreaded
DoS ((Denial of Service)) attack). Some Hackers like to collect IP
Addresses like badges, and like to go back to old targets, messing them
around every so often. An IP address is incredibly easy to obtain -
until recently, many realtime chat applications (such as MSN) were
goldmines of information. Your IP Address is contained as part of the
Header Code on all emails that you send and webpages that you visit can
store all kinds of information about you. A common trick is for the
Hacker to go into a Chatroom, paste his supposed website address all
over the place, and when the unsuspecting victim visits, everything
about your computer from the operating system to the screen resolution
can be logged…and, of course, the all important IP address. In
addition, a simple network-wide port scan will reveal vulnerable target
machines, and a war-dialler will scan thousands of lines for exposed
modems that the hacker can exploit.

So now that you know some of the basic dangers, you’re probably wondering how these people connect to a victim’s machine?

## Virtual and Physical Ports ##

Everything that you recieve over the Internet comes as a result of
other machines connecting to your computer’s ports. You have two types;
Physical are the holes in the back of your machine, but the important
ones are Virtual. These allow transfer of data between your computer
and the outside world, some with allocated functions, some without, but
knowing how these work is the first step to discovering who is
attacking you; you simply MUST have a basic knowledge of this, or you
won’t get much further.

# What the phrases TCP/UDP actually mean

TCP/IP stands for Transmission Control Protocol and Internet Protocol,
a TCP/IP packet is a block of data which is compressed, then a header
is put on it and it is sent to another computer (UDP stands for User
Datagram Protocol). This is how ALL internet transfers occur, by
sending packets. The header in a packet contains the IP address of the
one who originally sent you it. Now, your computer comes with an
excellent (and free) tool that allows you to see anything that is
connected (or is attempting to connect) to you, although bear in mind
that it offers no blocking protection; it simply tells you what is
going on, and that tool is NETSTAT.

## Netstat: Your first line of defence ##

Netstat is a very fast and reliable method of seeing exactly who or
what is connected (or connecting) to your computer. Open up DOS
(Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS
Prompt, type:

netstat -a

(make sure you include the space inbetween the “t” and the “a”).

If you’re connected to the Internet when you do this, you should see something like:

Active Connections

Proto Local Address Foreign Address State

TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

Now, “Proto(col)” simply means what kind of data transmission is taking
place (TCP or UDP), “Local address” is your computer (and the number
next to it tells you what port you’re connected on), “Foreign Address”
is the machine that is connected to you (and what port they’re using),
and finally “State” is simply whether or not a connection is actually
established, or whether the machine in question is waiting for a
transmission, or timing out etc.

Now, you need to know all of Netstat’s various commands, so type:

netstat ?

You will get something like this:

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display per-protocol
statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown
for TCP, UDP and IP; the -p option may be used to specify a subset of
the default.

Have a play around with the various options, but the most important use
of these methods is when you combine them. The best command to use is

netstat -an

because this will list all connections in Numerical Form, which makes
it a lot easier to trace malicious users….Hostnames can be a little
confusing if you don’t know what you’re doing (although they’re easily
understandable, as we shall see later). Also, by doing this, you can
also find out what your own IP address is, which is always useful.

Also,

netstat -b

will tell you what ports are open and what programs are connecting to the internet.

## Types of Port ##

It would be impossible to find out who was attacking you if computers
could just access any old port to perform an important function; how
could you tell a mail transfer from a Trojan Attack? Well, good news,
because your regular, normal connections are assigned to low, commonly
used ports, and in general, the higher the number used, the more you
should be suspicious. Here are the three main types of port:

# Well Known Ports These run from 0 to 1023, and are bound to the
common services that run on them (for example, mail runs on channel 25
tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find
one of these ports open (and you usually will), it’s usually because of
an essential function.

# Registered Ports These run on 1024 to 49151. Although not bound to a
particular service, these are normally used by networking utilities
like FTP software, Email client and so on, and they do this by opening
on a random port within this range before communicating with the remote
server, so don’t panic (just be wary, perhaps) if you see any of these
open, because they usually close automatically when the system that’s
running on them terminates (for example, type in a common website name
in your browser with netstat open, and watch as it opens up a port at
random to act as a buffer for the remote servers). Services like MSN
Messenger and ICQ usually run on these Ports.

# Dynamic/Private Ports Ranging from 49152 to 65535, these things are
rarely used except with certain programs, and even then not very often.
This is indeed the usual range of the Trojan, so if you find any of
these open, be very suspicious. So, just to recap:

Well Known Ports 0 to 1023 Commonly used, little danger.

Registered Ports 1024 to 49151 Not as common, just be careful.

Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.

## The hunt is on ##

Now, it is essential that you know what you’re looking for, and the
most common way someone will attack your machine is with a Trojan. This
is a program that is sent to you in an email, or attempts to bind
itself to one of your ports, and when activated, it can give the user
your passwords, access to your hard drive…they can even make your CD
Tray pop open and shut. At the end of this Document, you will find a
list of the most commonly used Trojans and the ports they operate on.
For now, let’s take another look at that first example of Netstat….

Active Connections

Proto Local Address Foreign Address State

TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

Now, straight away, this should make more sense to you. Your computer
is connected on two ports, 80 and 27374. Port 80 is used for http/www
transmissions (ie for all intents and purposes, its how you connect to
the net, although of course it’s a lot more complicated than that).
Port 27374, however, is distinctly suspicious; first of all, it is in
the registered port range, and although other services (like MSN) use
these, let’s assume that you have nothing at all running like instant
messengers, webpages etc….you’re simply connected to the net through
proxy. So, now this connection is looking even more troublesome, and
when you realise that 27374 is a common port for Netbus (a potentially
destructive Trojan), you can see that something is untoward here. So,
what you would do is:

1) run Netstat , and use:

Netstat -a

then

Netstat -an

So you have both Hostnames AND IP addresses.

## Tracerouting ##

Having the attacker’s IP is all well and good, but what can you do with
it? The answer is, a lot more! It’s not enough to have the address, you
also need to know where the attacker’s connections are coming from. You
may have used automated tracerouting tools before, but do you jknow how
they work?

Go back to MSDOS and type

tracert *type IP address/Hostname here*

Now, what happens is, the Traceroute will show you all the computers
inbetween you and the target machine, including blockages, firewalls
etc. More often than not, the hostname address listed before the final
one will belong to the Hacker’s ISP Company. It’ll either say who the
ISP is somewhere in there, or else you run a second trace on the new
IP/hostname address to see who the ISP Company in question is. If the
Hostname that you get back doesn’t actually seem to mention an actual
geographical location within its text, you may think all is lost. But
fear not! Suppose you get a hostname such as

Well, that tells us nothing, right? Wrong….simply enter the hostname
in your browser, and though many times you will get nothing back,
sometimes it will resolve to an ISP, and from there you can easily find
out its location and in what areas they operate. This at least gives
you a firm geographical location to carry out your investigations in.

If you STILL have nothing, as a last resort you COULD try connecting to
your target’s ISP’s port 13 by Telnet, which will tell you how many
hours ahead or behind this ISP is of GMT, thus giving you a
geographical trace based on the time mentioned (although bear in mind,
the ISP may be doing something stupid like not having their clocks set
correctly, giving you a misleading trace. Similarly, a common tactic of
Hackers is to deliberately have their computer’s clock set to a totally
wrong time, so as to throw you off the scent). Also, unless you know
what you’re doing, I wouldn’t advise using Telnet (which is outside the
parameters of this tutorial).

## Reverse DNS Query ##

This is probably the most effective way of running a trace on somebody.
If ever you’re in a chatroom and you see someone saying that they’ve
“hacked into a satellite orbiting the Earth, and are taking pictures of
your house right now”, ignore them because that’s just bad movie
nonsense. THIS method is the way to go, with regard to finding out what
country (even maybe what State/City etc) someone resides, although it’s
actually almost impossible to find an EXACT geographical location
without actually breaking into your ISP’s Head Office and running off
with the safe.

To run an rDNS query, simply go back to MS-DOS and type

netstat

and hit return. Any active connections will resolve to hostnames rather than a numerical format.

# DNS

DNS stands for Domain Name Server. These are machines connected to the
Internet whose job it is to keep track of the IP Addresses and Domain
Names of other machines. When called upon, they take the ASCII Domain
Name and convert it to the relevant numeric IP Address. A DNS search
translates a hostname into an IP address….which is why we can enter
“www.Hotmail.com” and get the website to come up, instead of having to
actually remember Hotmail’s IP address and enter that instead. Well,
Reverse DNS, of course, translates the IP Address into a Hostname (ie -
in letters and words instead of numbers, because sometimes the Hacker
will employ various methods to stop Netstat from picking up a correct
Hostname).

So, for example,

298.12.87.32 is NOT a Hostname.

mail6.bol.net.au IS a Hostname.

Anyway, see the section at the end? (au) means the target lives in
Australia. Most (if not all) hostnames end in a specific Country Code,
thus narrowing down your search even further. If you know your target’s
Email Address (ie they foolishly sent you a hate mail, but were silly
enough to use a valid email address) but nothing else, then you can use
the Country codes to deduce where they’re from as well. You can also
deduce the IP address of the sender by looking at the emails header (a
“hidden” line of code which contains information on the sender)…on
Hotmail for example, go to Preferences, and select the “Full Header’s
Visible” option. Alternatively, you can run a “Finger” Trace on the
email address, at:

Plus, some ISP’s include their name in your Email Address with them too
(ie Wanadoo, Supanet etc), and your Hacker may be using an email
account that’s been provided by a Website hosting company, meaning this
would probably have the website host’s name in the email address (ie
Webspawners). So, you could use the information gleaned to maybe even
hunt down their website (then you could run a website check as
mentioned previously) or report abuse of that Website Provider’s Email
account (and thus, the Website that it goes with) to

If your Hacker happens to reside in the USA, go to:

for a complete list of US State abbreviatons.

## List of Ports commonly used by Trojans ##

Please note that this isn’t a complete list by any means, but it will
give you an idea of what to look out for in Netstat. Be aware that some
of the lower Ports may well be running valid services.

UDP: 1349 Back Ofrice DLL

31337 BackOfrice 1.20

31338 DeepBO

54321 BackOfrice 2000

TCP: 21 Blade Runner, Doly Trojan, Fore, Invisible FTP, WebEx, WinCrash

23 Tiny Telnet Server

25 Antigen, Email Password Sender, Haebu Coceda, Shtrilitz Stealth, Terminator, WinPC, WinSpy, Kuang2 0.17A-0.30

31 Hackers Paradise

80 Executor

456 Hackers Paradise

555 Ini-Killer, Phase Zero, Stealth Spy

666 Satanz Backdoor

1001 Silencer, WebEx

1011 Doly Trojan

1170 Psyber Stream Server, Voice

1234 Ultors Trojan

1243 SubSeven 1.0 – 1.8

1245 VooDoo Doll

1492 FTP99CMP

1600 Shivka-Burka

1807 SpySender

1981 Shockrave

1999 BackDoor 1.00-1.03

2001 Trojan Cow

2023 Ripper

2115 Bugs

2140 Deep Throat, The Invasor

2801 Phineas Phucker

3024 WinCrash

3129 Masters Paradise

3150 Deep Throat, The Invasor

3700 Portal of Doom

4092 WinCrash

4567 File Nail 1

4590 ICQTrojan

5000 Bubbel

5000 Sockets de Troie

5001 Sockets de Troie

5321 Firehotcker

5400 Blade Runner 0.80 Alpha

5401 Blade Runner 0.80 Alpha

5402 Blade Runner 0.80 Alpha

5400 Blade Runner

5401 Blade Runner

5402 Blade Runner

5569 Robo-Hack

5742 WinCrash

6670 DeepThroat

6771 DeepThroat

6969 GateCrasher, Priority

7000 Remote Grab

7300 NetMonitor

7301 NetMonitor

7306 NetMonitor

7307 NetMonitor

7308 NetMonitor

7789 ICKiller

8787 BackOfrice 2000

9872 Portal of Doom

9873 Portal of Doom

9874 Portal of Doom

9875 Portal of Doom

9989 iNi-Killer

10067 Portal of Doom

10167 Portal of Doom

10607 Coma 1.0.9

11000 Senna Spy

11223 Progenic trojan

12223 Hack´99 KeyLogger

12345 GabanBus, NetBus

12346 GabanBus, NetBus

12361 Whack-a-mole

12362 Whack-a-mole

16969 Priority

20001 Millennium

20034 NetBus 2.0, Beta-NetBus 2.01

21544 GirlFriend 1.0, Beta-1.35

22222 Prosiak

23456 Evil FTP, Ugly FTP

26274 Delta

30100 NetSphere 1.27a

30101 NetSphere 1.27a

30102 NetSphere 1.27a

31337 Back Orifice

31338 Back Orifice, DeepBO

31339 NetSpy DK

31666 BOWhack

33333 Prosiak

34324 BigGluck, TN

40412 The Spy

40421 Masters Paradise

40422 Masters Paradise

40423 Masters Paradise

40426 Masters Paradise

47262 Delta

50505 Sockets de Troie

50766 Fore

53001 Remote Windows Shutdown

54321 SchoolBus .69-1.11

61466 Telecommando

65000 Devil

## Summary ##

I hope this tutorial is useful in showing you both how to secure
yourself against unwanted connections, and also how to determine an
attacker’s identity. The Internet is by no means as anonymous as some
people think it is, and although this is to the detriment of people’s
security online, this also works both ways….it IS possible to find
and stop even the most determined of attackers, you just have to be
patient and keep hunting for clues which will help you put an end to
their exploits.

Before you begin, gather your Windows and application CD-ROMs. Back up your data files (just to be safe), and then clear two days off your calendar. If everything goes smoothly, you can reinstall Windows in a few hours. But you have to assume something will go wrong: You may not be able to find a necessary CD, or data won’t be where you thought it was, or something will simply refuse to work.

There’s a difference between a repair reinstall and a complete reinstall. Though a repair (also called a refresh) will let you keep your current settings, a complete reinstall will give you a truly fresh version of Windows. Repairs are fast and easy, but they don’t fix anywhere near as many problems. The instructions below are for total reinstalls, except where noted.
Your Vendor’s Restore CD

Most computers ship with a vendor-specific restore CD rather than with a Microsoft Windows CD-ROM. (If your PC came with a Microsoft Windows CD, or if you bought a retail copy of Windows, skip to the section for your version.)

Some restore CDs give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the PC. (This case is the exception I mentioned above that requires a reformat.)

If your restore CD is reformat-only, back up your data files to a network or a removable medium before reinstalling Windows. If you use Windows 98 or Me, back up C:\My Documents, plus the folders inside C:\Windows discussed in the 98*steroidsRgangstaa section below. If you have Windows 2000 or XP, back up C:\Documents and Settings. Also back up any other folders in which you store your data files.
Windows 98 and ME CDs

These Windows versions keep some important data inside your soon-to-be-erased Windows folder, so you need to copy several of its subfolders to another location. Right-click My Computer and select Explore. Double-click the C: drive icon (in Me, you may then have to click View the entire contents of this drive). Right-click in the right pane and select New, Folder. Name the new folder oldstuff.

Go to the Windows folder (you might have to click View the entire contents of this folder), hold down Ctrl, and select the following subfolders: All Users, Application Data, Desktop, Favorites, Local Settings, Profiles, SendTo, and Start Menu. If you don’t see them all, select View, Folder Options (Tools, Folder Options in Me), click the View tab, select Show all files, and click OK. (If you still don’t see them all, don’t worry about it.) Press Ctrl and drag the folders to C:\oldstuff (see FIGURE 1).

Restart Windows with a start-up disk in your floppy drive. (To make a start-up floppy, insert a disk, select Start, Settings, Control Panel, double-click Add/Remove Programs, click Startup Disk, Create Disk, and follow the prompts.) At the Startup Menu, select Start computer with CD-ROM support. While the drivers load, insert your Windows CD-ROM.

Unless you’re doing a repair reinstall, type the command c:\windows\command\deltree /y c:\windows and press Enter. Deleting your old files could take time, but the /y switch suppresses confirmation prompts, so take a break.

When you’re back at the A: prompt, type x:setup, where x is your CD drive letter (it’s likely one letter past what it usually is in Windows, so if it’s D: in Windows, it’s probably E: here). Press Enter and follow the prompts.

Once you’re back in Windows, reinstall your graphics card driver. If you have Windows set up for more than one user, you’ll also have to re-create each account. Select Start, Settings, Control Panel, Users to do so. It’s important that the user names match those in the old installation. If you’re not sure, open Windows Explorer and navigate to C:\oldstuff\profiles. There you’ll find a folder for each registered user name (see FIGURE 2). Don’t worry about passwords. Log off and log back on as each user. When you’re done, log off and back on one more time, but instead of choosing a user name and a password, press Esc to enter Windows without being a specific user.

Select Start, Programs, MS-DOS Prompt (in Windows 98) or Start, Programs, Accessories, MS-DOS Prompt (in Windows Me). Type xcopy c:\oldstuff\*.* c:\windows /s /h /r /c and press Enter (if you want to know what the xcopy switches do, enter the command xcopy /?). When xcopy asks if it should overwrite a file, press a for All.

When xcopy is through, reboot and log on (as a particular user, if necessary). Open My Documents to make sure all your personal files are where they belong, including your Internet Explorer favorites and your custom Start menu shortcuts.

Now skip ahead to “Finishing the Job.”
Windows 2000 and XP CDs

Boot your computer with your Windows CD-ROM inserted. When you get the ‘Press any key to boot from CD’ message, do so. (If you don’t see that message before Windows starts, restart Windows, press the key you’re prompted to enter for your PC Setup program, and change the boot order so your CD drive is first.)

At the ‘Welcome to Setup’ screen, press Enter. The R (repair) option takes you to the Recovery Module, which is useful if Windows won’t boot, but it’s no help with a reinstallation. Soon you’ll be told that there’s already a Windows installation on the computer. Press r for a repair reinstall or Esc to begin a complete, destructive one. For a complete restore, select your C: partition and press Enter. When you get the warning that says an operating system is on that partition, press c. When you are asked your partition preference, select Leave the current file system intact (no changes). When you’re told that a Windows folder (or Winnt folder for Windows 2000) already exists, press l (‘ell’) to delete it and create a new one. Follow the series of prompts. When the installation program asks for your name, enter temp.

Once the installation is complete, your system will reboot into Windows, and you’ll be logged on as user Temp. If the screen is difficult to read, reinstall your graphics card driver.

If you are reinstalling Windows XP, skip to “For Both Windows XP and 2000.”

If you’re reinstalling Windows 2000, log off as Temp and back on as Administrator. Now log off and on again, this time as Temp. Open Windows Explorer and navigate to C:\Documents and Settings. One of the subfolders will be named Administrator. Another will be named something like Administrator.computername.

Select Start, Programs, Accessories, Command Prompt. Type cd “\documents and settings” and press Enter. Then type xcopy administrator\*.* administrator.computername /s /h /r /c, replacing computername with the last part of that folder’s name (after “Administrator.”) in Documents and Settings. Now press Enter, and when you’re asked about overwriting files or folders, press a for All.

If you have any users on the old installation besides Administrator, continue with the “For Both Windows XP and 2000″ section. Otherwise, open Windows Explorer and make sure your data files are where they belong. Then go to Control Panel’s Users and Passwords applet and delete the user Temp before skipping to “Finishing the Job.”
For Both Windows XP and 2000

Reopen Windows Explorer. Select your C: drive (you may have to click Show the contents of this folder). Right-click in the right pane and select New, Folder. Name the new folder oldstuff. In the left pane, choose the Documents and Settings folder. It should have subfolders for each user from the previous install, plus one for Temp and a few others. Move the folders for your previous user names to oldstuff.

Select Start, Control Panel, User Accounts (Start, Settings, Control Panel, Users and Passwords in Windows 2000). Create an account for each user who was registered before the reinstall. Be sure to use the exact names. They are the same names as the folders you just moved to oldstuff (as shown in FIGURE 2). In Windows XP, at least one user must have administrator privileges.

Log off and back on as each user, before logging back on as Temp. Make sure that you select Log Off and not Switch User at Windows XP’s Log Off dialog box (this isn’t an issue in Win 2000).

Log on as Temp, select Start, Programs, Accessories, Command Prompt (in XP, Start, All Programs, Accessories, Command Prompt), type xcopy c:\oldstuff\*.* “c:\documents and settings” /s /h /r /c, and press Enter. Press a when asked if you want to overwrite a file. Log off Temp and log on to each restored account to make sure everyone’s documents and data are where they belong. Log on as an administrator and run Control Panel’s User Accounts applet again to remove the user Temp.
Finishing the Job

Now you’ve got Windows going, but not much else. You may have to reinstall your printer, sound card, and so on. Luckily, if a driver for the gadget came on your Windows or vendor restore CD, it was probably reinstalled automatically.

You’ll have to reinstall your applications to reintroduce them to Windows. Some of their settings will not be changed by the reinstallation, but those that were stored in the Registry were wiped out.

Once your Internet connection is running again, browse to Windows Update and download all critical updates for your version (see FIGURE 3). Then visit the sites of your hardware vendors to update your drivers.

After the reinstall, some of your data may not show up where it should. Search for it in both your Application Data and oldstuff folders, and see if you can move it to the folder in which Windows or your apps are looking for it. If you find a folder called Identities with two subfolders whose names are long and indecipherable, try moving the contents of one to the other and see if your data reappears.

You’ve probably guessed that the final step is deleting the c:\oldstuff folder–and the Administrator folder in Windows 2000. Make this the very last step, however. Wait a couple of days, weeks, or even months until you’re confident that all of your needed files are accessible.

1) You open notepad

2) now you writ: [autorun]
OPEN=INSTALL\Setup_filename.EXE
ICON=INSTALL\Setup_filename.EXE

Now save it but not as a .txt file but as a .inf file.

But remember! The “Setup_filename.EXE” MUST be replaced with the name of the setup file. And you also need to rember that it is not all of the setup files there are called ‘.exe but some are called ‘.msi

3) Now burn your CD with the autorun .inf file included.

4) Now set the CD in you CD drive and wait for the autorun to begin or if nothing happens just double-click on the CD drive in “This Computer”
]]> http://dailysolution.wordpress.com/2009/03/26/make-a-autorun-file-for-your-cd/feed/ 0 futurbillgate http://dailysolution.wordpress.com/2009/03/26/kaspersky-78-kavkis-unblacklisting-method/ http://dailysolution.wordpress.com/2009/03/26/kaspersky-78-kavkis-unblacklisting-method/#comments Thu, 26 Mar 2009 11:04:35 +0000 futurbillgate http://dailysolution.wordpress.com/?p=29 ]]> [Tutorial] Kaspersky 7&8 KAV&KIS Unblacklisting Method

New Keys Added valid until 2011 Wink

Are you using a ‘pirate’ copy of KAV ? Are you tired of changing the license up to 3 times a month Very Happy ? Don’t stress yourself , Here’s my solution Smile :

KIS & KAV version 7.x:

Exclamation It uses advanced methods to avoid getting blacklisted and so on …

Quote:
You will be able to use a key even if it is already blacklisted so , you better listen carefully Smile

Download

Pass:

HOW TO
Read the Readme in the Folder
1. After installing KAV/KIS on your PC , do not activate , use “Activate Later” option .

2. Reboot to complete installation , again “Activate Later”

3. Deactivate all Proactive defense options from the AV like this :

4. In the folder you will find two patches , the one recommended for installing is “Kaspe.. Sollution” because the other one is slightly 99.8% stable not 100% , but is the same patch version so use whatever you like . (do not open the patch yet , so do not worry , cause it will work Wink)

5. Run your PC into Safe Mode with Networking Options :

Arrow There are two ways to get in Safe Mode
a) when booting up windows , press F8 right after the POST screen .
choose Safe Mode with Networking option .

b) Use the RUN from Start Menu .
go to Start -> RUN -> type : msconfig , hit ENTER ,
go to Boot.ini tab , select Safe Boot , check the Network option bellow and close the dialog box , hit Restart after this operation .

When asked what User to Log in , Exclamation click on the Default SYSTEM Administrator , NOT your account or your Guest account , YOUR DEfault Administrator Account , the one from the System , ussually Located in the first ROW .
[/img]http://www.techorama.org/images/win-xp-screen-full_69.jpg[img]
It is very important because the fact that this way the Patch has acces to the System so it will smoothly update . If your account is password protected (The admin acc. , type password when asked)

[/img]http://www3.georgetown.edu/uis/images/software/documentation/winxp/runas2.gif[img]
[/img]http://i25.tinypic.com/14mt25d.png[img]
6. Wait until you reach (get inside) in Safe Mode , you will see that screen (black) with Safe Mode in corners
[/img]http://www.bcot1.com/safemode03.jpg[img]
hit Yes in that box .

7. Double click the “Kas.. Sollution” patch . NOTE! You will have to wait a bit until it shows on the desktop because in Safe Mode , VGA resources are poor .

Exclamation If the Patch isn’t starting in maximum 2.5 minutes , press Ctrl+Alt+Del and simply wait . If even this method isn’t working , Run the second patch and close the first one . But I advice you to wait cause it will work Wink .

8. After starting the patch , you will see some buttons , that may be pressed depending on your version of the AV (KAV or KIS) . Read the following very carefully Smile

9. You will see this screen :
[/img]http://i26.tinypic.com/6fnpt3.jpg[img]
Press ‘key remover’ button first ,
After that ‘Clean’ Button
After that press !! Depending on your version “Patch KAV” or “Patch KIS (intenet security)” .

Cool Probably you won’t have time to see anything on the screen because it’s very fast Wink

10. Now press the “Key KAV+KIS” , and press “Install” , just like there Smile .

After finishing , you may hit “Exit” .

11. Go again to RUN -> msconfig -> Boot.ini and deactivate the safe mode , uncheck the safe Boot , so the OS can start in normal boot .

Image

12. After reboot , you will be asked to Activate , hit “Apply Existing License” and Use one of the ones from the folder I supplied Wink I have included Keygen also for KAV version Smile .

[/img]http://www.kaspersky.com/support/images/support_new/codeinstalled.jpg[img]
13. After Activation , you will have to Update the AV to have the latest protection services activated , and after that You may enable Proactive Defense again Wink .
[/img]http://i26.tinypic.com/fve6oi.png[img]
14. Happy Non-Blacklisting Protection , you can fully update and no worries about Blacklisting again , [the secret method I cannot tell you so don't ask Very Happy]

15. Updated successfully with a key that has already been blacklisted Very Happy :

[/img]http://i25.tinypic.com/m7gt2s.png[img]
[/img]http://i32.tinypic.com/2i881gp.png[img]
[/img]http://i29.tinypic.com/34858id.png[img]

Now you are protected against any type of malware

Reduced: 86% of original size [ 706 x 576 ] – Click to view full image

Now install the Antivirus as Trial first .

4. Reboot the PC , and after this step , select Activate Later , go into “Self Defense” menu and Disable it Temporary .

5. Now Reboot in Safe Mode just like in the previous pictures .

6. Run the Kaspersky Patch Smile [ Do not forget to be logged in as the Administrator and not Guest or Other User ]

7. The steps to Patch KAV/KIS are exactly the same for version 8 too . , After Done Patching , exit the application [patch] & Reboot in Normal Mode now .

8. When Asked for License , download this License File which is valid untill 2011 for KIS and until 2010 for KAV and until then you won’t have any problems with Updates

There are some videos on youtube which require you to be a member in order to watch them . What if you wanted to watch them without registering on youtube . Well here’s how to go about it .

For example a video like this :

http://youtube.com/watch?v=ksyxaKWS_j4

would ask you to login and verify your age . *

** How to watch it without logging in ***

We need to edit the link this way .

> Replace the “?” after watch with “/” and “=” after v with “/”

> So our link after editing would be : http://youtube.com/watch/v/ksyxaKWS_j4

> Now use this link in your browser to watch the video Enjoy !

Preferred DNS server:- 208.67.222.222
Alternate DNS server:- 208.67.220.220

To change this,
1 Go to control pannel
2 Network Connections
3 Then right click on your Internet connection and go to properties.
4 In the section “This connection uses the following items” ,click Internet Protocol(TCP/IP)
5 Then click properties
6 In that you will see two options 1.Obtain DNS server automatically
2.Use the following DNS sever addresses.

7 then enter the DNS addresses i gave you.put 208.67.222.222 as preferred DNS srver and 208.67.220.220 as Alternate DNS serever.