Hi Everybody!

I'm a tech at my school and when using the computers, I find that some "people" choose to do some annoying things that leave the other users unable to do certain things, so I've compiled a few how-to's on how to rid the computer of these annoying things.
!!!Please!!! Use responsibly. I'm doing this because many people do not know what to do in situations like that which will be explained.


First of, in my Computer Science class, someone enabled Internet Explorer's Content Advisor which basically blocks everysite and prompts you for a password. So, I had to do this:

First Run Regedit:
Start -> Run: regedit
or Windows Key + R: regedit

While in the registry editor, use the directory tree to get to this position:

-H_KEY_LOCAL_MACHINE
.
.
-Software
.
.
-Microsoft
.
.
-Windows
.
.
-Current Version
.
.
-Policies
NonEnum
Ratings
system

Once you're there, click the Ratings folder and on the right hand side pannel window, you'll see an icon named Key. Click on that and press delete, or right click -> Delete.
Now, you can close regedit. Close all Internet Explorer browser windows, and open up a new brower session and BOOM! It's gone. ( I taught this to my professor :P )

Checking for KeyLoggers:

This is a real bad case in the labs, along with the practical sub7 virus which will be
covered later.

Info on keyloggers:
Keyloggers log your keystrokes by recording the which key you pressed and they write it to a log file usually in the form of a .txt file which is located either in the Windows directory or the folder in which the keylogger is in. Note: Keyloggers are running a background process on your computer which is the program that records the keystrokes, so yes: When you press ctrl+alt+del, the keylogger program will be seen there. Now, how to identify it.

First, you will want to close any programs that you are running. AIM, p2p programs, mirc,
...stuff like that. (To narrow down the number of programs)

Now, press ctrl+alt+del

In the task manager window, you'll find a few programs running still, and most of those are windows programs and are a "must have". Finding the actual keylogger program is the tricky part. I myself look for a program which has a funky name OR a program that have the words:
"key" or "logger" in them. If I'm wrong and I get a blue screen, oh well.

Now, in the process of installing a keylogger, it tells Windows that it wants to be run every time Windows starts up. So, the next thing you could do in sniffing out keyloggers is:
Goto Start -> Run: msconfig

A windows will pop up entitled "System Configuration Utility".
Click the "Startup" tab. In the list box, scroll through the programs and if you find some a few that look suspicious, look at the directory it's stored in and go to it. Chances are, if it is a keylogger, it will have a README file which explains the how-to of installing it.

And last... Get a virus scanner, goto Folder Options and enable windows explorer to
"Show All" and scan every single executable file.

Sniffing out Sub7:

I can't get enough of sub7. Some kids just like to play around with these things and it gets to the point where people are grabbing people's IP addresses, disabling keyboards, shutting
off monitors and stuff like that.

(Provided by: http://www.hackguard.net/sub7adv2.htm)

When I read (past tense) this, everytime I look in a computer to check to see if it's infected, I run
C:\Windows\win.ini

I look under [windows] and if I find that the "run=" is occupied with the following:
c:\windows\SysTrayIcon.exe, I know it's infected.
I follow up by deleting the "c:\Windows\SysTrayIcon.exe" part. I then imedately go to c:\windows and delete the program called "SysTrayIcon". Then I run would c:\windows\system.ini and find a part under the [boot] section which should read "shell=Explorer.exe". Delete that as well.

Then open up your registry editor and goto:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete any part that mentions the SystemTrayIcon.exe file.

Next, goto this spot in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

"If you see a suspicious looking file like kerne132.dl then it should be safe to remove it. Note that most file extensions are 3 characters in length. An extension like .dl (only two characters in length) suggests that the file might be a Trojan Horse. To remove this file, first go to your Desktop. Select My Computer, right click and option Find. Find the file listed in your registry under the RunServices field and place it in a temporary folder (without double clicking on it). Then remove it from the registry by selecting it and hitting the Delete key." (Step 8., HackGuard.net)

Last, go here in the registry:
HKEY_CLASSES_ROOT\exefile\shell\open\command\

(Taken from Step 10 of HackGuard.net's removal guide)

10. If you notice any file before the "%1"%*" make a note of the name and remove that file (but not the entire key). To remove just the file, double click on the key, and then remove the mueexe.exe or whatever the filename is from that position. If you remove the entire key your computer will not allow you to run any programs and will be unusable! The fixed key should only contain:


"%1"%*"


It must be exactly as above, quotes included. When you remove that file from the registry remove it from your hard drive. It should be in your c:\windows folder.

Important: After you do this, you must restart your computer.

Important2: (Taken from HackGuard.net's Reminder section)

It's important to note that the server will not always be called SysTrayIcon and that it will not always have the same icon as the one pictured above. Experienced "hackers" will often change the server name or have the server assign a new name to itself each time it's ran. Keep in mind that server names might be something as simple as SysTrayIcon.exe, Explorerr.exe, Systray.dll or as random as k40xrk.exe.


If you notice a suspicious looking file, double click on it. If nothing happens after you click on it a couple of times then it might be a Trojan horse. Some Trojan horse servers generate a fake error message just to make the user think that it crashed, when all it really did was install itself into the system folder.

Please feel free to read HackGuard.net's removal guide by going to here:
http://www.hackguard.net/sub7adv2.htm


This concludes my tutorial entitled "Remove Me". I hope it suites you well and you learn valuable information from this. Please be responsible, and always have a designated driver.


Thank You.
If there is any false information, please notify me asap.