<body><script type="text/javascript"> function setAttributeOnload(object, attribute, val) { if(window.addEventListener) { window.addEventListener('load', function(){ object[attribute] = val; }, false); } else { window.attachEvent('onload', function(){ object[attribute] = val; }); } } </script> <div id="navbar-iframe-container"></div> <script type="text/javascript" src="https://apis.google.com/js/platform.js"></script> <script type="text/javascript"> gapi.load("gapi.iframes:gapi.iframes.style.bubble", function() { if (gapi.iframes && gapi.iframes.getContext) { gapi.iframes.getContext().openChild({ url: 'https://www.blogger.com/navbar.g?targetBlogID\x3d5485853\x26blogName\x3d::%5B+vectorzx+domain+%5D::\x26publishMode\x3dPUBLISH_MODE_BLOGSPOT\x26navbarType\x3dBLUE\x26layoutType\x3dCLASSIC\x26searchRoot\x3dhttps://vectorzx.blogspot.com/search\x26blogLocale\x3den_US\x26v\x3d2\x26homepageUrl\x3dhttps://vectorzx.blogspot.com/\x26vt\x3d-3294841531155843655', where: document.getElementById("navbar-iframe-container"), id: "navbar-iframe", messageHandlersFilter: gapi.iframes.CROSS_ORIGIN_IFRAMES_FILTER, messageHandlers: { 'blogger-ping': function() {} } }); } }); </script>

::[ vectorzx domain ]::

There's no boring words in hacker's life.
New day = new things. Don't be a lazy fools!

Forex Target Time In Malaysia

Friday, June 05, 2009

For GBP/JPY and GBP/USD are start from around 11pm - 1am Malaysia time because the market will be active during that time.

Return of the Jedi

Wednesday, February 14, 2007

Hoho... after about 6 months not writing in my own blog. Now i'm return. But is this effect others life? Who knows...

Ok from now on i'll be focusing more on contributing something to open source field. Not to mention that i was also completing MySurfGuard project which was developed while i was in previous company.

Those words really catch my attention (from Eric S. Raymond who wrote The Cathedral and the Bazaar and founder of fetchmail).
1. Every good work of software starts by scratching a developer's personal itch.
2. Good programmers know what to write. Great ones know what to rewrite (and reuse).
3. If you have the right attitude, interesting problems will find you.

I suggest to all of you to read this book. It was really interesting to help us clarify what is the meaning of open source. Really. Think about the phrases above and you will know what it's means.

The Wilderness of Brontok

Friday, May 26, 2006

Disclaimer: I will not responsible any damage done to your computer. Just do it if you are confident with this instructions.

What? What is this folder icon? How can it be the same name? Let's try to click it. Then the whole system was infected by brontok. *Sigh* This is what happen when we usually do the automatically clicking procedure. We were illussioned by human tricky mistakes.

So how can we cure our system back to normal? Ok follow this step and you'll be safe.

1. First and important step is if you're in network, disconnect your pc and disable any file sharing to prevent the worm from spreading. After that, download your preferred antivirus program such as AVG and their latest update using any clean pc.

Also download UnHookExec.inf from Symantec. We will use this file to enable registry back to normal. Later on i will teach you how to use it. Transfer all the necessary file to your thumb drive or writable cd and put it on the infected pc. Make sure you thumb drive is set to read mode only.

2. Then disable System Restore to ensure that the worm will not be brought back to your system. You can turn it on later after you eliminate the worm.

3. According to trendmicro site, the worm will automatically close or terminate any program with the following name: Registry, Command Prompt, System Configuration, Anti-virus programs (etc: AVG, Avast, Trendmicro) and other specific names including Process Explorer. This means we can't use the Process Explorer to kill the worm.

So alternative to that third-party software is Complete Process Manager (CPM). It's a shareware software which means you must pay to get full version. It's up to you whether to buy or not but you can use the full features in trial version.

4. Once you install the CPM, run it and search for the process that run with the name: crss.exe, inetinfo.exe, lsass.exe, services.exe, smss.exe, and winlogon.exe. Make sure it's not run by the System because you can't terminate process that run by the System. You can only kill/terminate the process that only run by yourself.

After you kill that process, kill the main worm process identified with a letter and number (%Windir%\j[RANDOM].exe and %Windir%\o[RANDOM].exe). In example, j0128237.exe or o218230.exe. Usually it has two process running in background.

5. Run the UnHookExec.inf file by right-clicking on it and choose install. Now you can access the Registry Editor. Go to Start->Run and type regedit. This will open Registry Editor program.

6. Follow this step to remove the worm entry in Registry Editor. You can find the key/subkey by using the search function from that editor.

Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
In the right pane, delete the value:
"f3444Adm" = ""%UserProfile%\Local Settings\Application Data\dv[RANDOM]0x\yesbron.com""

Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
"f3444Adm" = ""%System%\s[RANDOM]\zh59[RANDOM].exe""

Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
In the right pane, delete the value:
"N7593c" = "%Windir%\_default[RANDOM].pif"

Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
In the right pane, delete the value:
"N7593c" = "%Windir%\j[RANDOM].exe"

Navigate to the subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
In the right pane, delete the value:
"AlternateShell" = "c_[RANDOM]k.com"

Navigate and delete the subkey:
HKEY_CURRENT_USER\Software\Brontok

Navigate to the subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
In the right pane, reset the value:
"Userinit" = "%System%\userinit.exe,%Windir%\j[RANDOM].exe"
"Shell" = "Explorer.exe "%Windir%\o[RANDOM].exe""
To
"Userinit" = "%System%\userinit.exe"
"Shell" = "Explorer.exe"

Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
In the right pane, reset the values to their original values if known:
"Hidden" = "0"
"HideFileExt" = "1"
"ShowSuperHidden" = "0"


Navigate to the subkey:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
In the right pane, reset the values to their original values if known:
"DisableRegistryTools" = "1"

7. After you done editing the registry value, now it's time to install and update your antivirus. When update complete, scan the whole system for any infected file and delete it. You can also move it to the vault if the file is important for further investigations. After the full scan is complete, reboot your computer.

8. If your windows was successfully loaded without any unnessary black dos window or something like that and when you check in your folder there's nothing duplicated directories, congratulations your pc is clean from the wilderness of brontok!

9. Do a full scan again if you suspect any malicious activity and don't forget to update your antivirus frequently.

That's all. I hope this removal instructions can help you remove that worm. If you got any comments and suggestion, do not hesitate to comment this article. Thanks.

Reference:
1. Symantec Removal Instructions
2. MyCERT Special Alert - W32.Brontok Worm

PS3 Run On Linux

Friday, April 07, 2006

Linuxdevices.com today confirmed that the Playstation 3 console will ship with linux as its operating system, and will not only be a gaming console but a productivity console as well! Think of your Playstation 3 console now as a router, storage device, and maybe even your Folding@Home machine ;) Hopefully they won't follow Linksys' footsteps by shying away from Linux in their v5 WRT54G wireless routers.

Taken from lowyat.net

Using a Single DHCP Server to Serve Multiple Networks

Wednesday, April 05, 2006

As stated before, DHCP clients send their requests for IP addresses to a broadcast address which is limited to the local LAN. This would imply that a DHCP server is required on each subnet. Not so. It is possible to configure routers to forward DHCP requests to a DHCP server many hops away. This is done by inserting the IP address of the router's interface on the DHCP client's network into the forwarded packet. To the DHCP server, the non-blank router IP address field takes precedence over the broadcast address and it uses this value to provide a DHCP address that is meaningful to the client. The DHCP server replies with a broadcast packet, and the router, which has kept track of the initial forwarded request, forwards it back towards the client. You can configure this feature on Cisco devices by using the ip helper-address command on all the interfaces on which DHCP clients reside. Here is a configuration sample that points to a DHCP server with the IP address 192.168.36.25:
interface FastEthernet 2/1
ip address 192.168.1.30 255.255.255.0
ip helper-address 192.168.36.25
That's all. Taken from linuxhomenetworking.com