• Category Archives Windows Tricks & Tips
  • Windows 10 Surveillance Platform weaponized into and back ported Implants delivered seamlessly to Windows 7 and 8 via Windows Update

    Windows 10 Surveillance Platform weaponized into and back ported Implants delivered seamlessly to Windows 7 and 8 via Windows Update

    You may or may not have noticed shenanigans in your windows based 7 and * machines.

    Microsoft likes the data they stream from windows 10 machines soo much that they decided to back port functionaly and carve out impants resulting in a of push 4 optional and 2 important windows updates

    They will appear in control panel installed updates as

    Optional
    “Update for Microsoft Windows (KB3068708)”
    “Update for Microsoft Windows (KB3075249)”
    “Update for Microsoft Windows (KB3080149)”
    “Update for Microsoft Windows (KB3022345)”

    Important
    “Update for Microsoft Windows (KB2952664)”
    “Update for Microsoft Windows (KB3021917)”

    If you have better things to do than hand eye troll through the list of installed updates then here are two approached to detect the SurveillanceWare Implants.

    The referenced KB’s are specific to the surveillance implants which target Windows 7 only. If your running windows 8, 8.1 or 10 your more than likely fighting much more of a loosing battle. So this section is specific so where it may be temporarily possible to remove the Implants.

    Detection – Open an elevated command prompt
    wmic QFE list full /format:texttablewsys | find “KB3068708”
    wmic QFE list full /format:texttablewsys | find “KB3022345”
    wmic QFE list full /format:texttablewsys | find “KB3075249”
    wmic QFE list full /format:texttablewsys | find “KB3080149”
    wmic QFE list full /format:texttablewsys | find “KB3021917”
    wmic QFE list full /format:texttablewsys | find “KB2952664”

    or alternatively detect with an update to the systeminfo command

    systeminfo | findstr “KB3068708 KB3022345 KB3075249 KB3080149 KB3021917 KB2952664”

    To start removal after optionally taking an evidence image or a system backup
    wusa /uninstall /kb:3068708 /quiet /norestart
    wusa /uninstall /kb:3022345 /quiet /norestart

    Then reboot seems required then continue
    wusa /uninstall /kb:3075249 /quiet /norestart
    wusa /uninstall /kb:3080149 /quiet /norestart
    wusa /uninstall /kb:3021917 /quiet /norestart
    wusa /uninstall /kb:2952664 /quiet /norestart

    ———- Windows 7, 8, 8.1 script to detect implants——-
    Here is a list and updated DIY detection ready scripting for all 14 (currently known) Surveillance implants. Including Implants for windows 8 and later.

    I guess they thought they could catch more fish with 14 baited lines.

    Here are two batch files . run the larger script to see whats detected.

    Open an elevated command prompt

    create a batch file
    Name: check-kb.bat

    Add the batch script content

    @echo off
    echo ‘ Only the first parameter is used in the search, the rest display context.
    echo ‘
    echo ‘
    echo Checking for %1 %2 %3 %4 %5 %6 %7 %8 %9 %10
    @echo on
    wmic QFE list full /format:texttablewsys | find “%1”
    @echo off

    Create a batch file, purpose is to check for currently known Implants.
    Name: checkfor_NPI_patches.bat

    Add the batch script content

    @echo off
    SetLocal
    REM — (as of 2015-08-26):
    cls
    call Check-kb KB3012973 – Opt in payload – Upgrade to Windows 10 Pro
    call Check-kb KB3021917 – Opt in payload – Update to benchmark Windows 7 SP1
    call Check-kb KB3035583 – Opt in payload – delivers reminder “Get Windows 10” for Windows 8.1 and Windows 7 SP1
    call Check-kb KB2952664 – Opt in payload – Pre launch day push of payload for compatibility update for upgrading Windows 7
    call Check-kb KB2976978 – Opt in payload – Pre launch day push of payload for Compatibility update for Windows 8.1 and Windows 8
    call Check-kb KB3022345 – Opt in payload – surveillance Telemetry [Replaced by KB3068708]
    call Check-kb KB3068708 – Opt in payload – Update for surveillance customer experience and diagnostic telemetry
    call Check-kb KB2990214 – Opt in payload – Update that prepares payload to Windows 7 to add surveillance in later installed versions of Windows
    call Check-kb KB3075249 – Opt in payload – Update that adds surveillance telemetry to Windows 8.1 and Windows 7
    call Check-kb KB3080149 – Opt in payload – Update for CIP and surveillance with diagnostic exfil leveraging telemetry
    call Check-kb KB3044374 – Opt in payload – Marketing Windows 10 surveillance payload to windows 8,8.1 devices
    call Check-kb KB2977759 – Opt in payload – Windows 10 surveillance Diagnostics Compatibility Telemetry HTTP request response
    call Check-kb KB3050265 – Opt in payload – Marking via Windows Update services opting in to Windows 10 surveillance Implant
    call Check-kb KB3068707 – Opt in payload – CIP telemetry request response check in for Windows 7,8,8.1

    Whatever Surveillance implants revealed in your machine, it can be removed with a customization of the wusa command, just replace the ??????? with the kb numbers reported.

    wusa /uninstall /kb:??????? /quiet /norestart
    ——-Housekeeping QA

    Housekeeping checks post removal additional steps. I can foresee someone will prophetically conclude a recommended step 5) Uninstall windows and install a secure *nix variant. Obligatorily mentioned in advance. Thanks.

    An eye on post removal Hinkyness had some hits after removals and reboots.

    1) Only two of the four uninstalled KB’s reappeared as available optional “Update for Windows 7 for x64 based Systems (KB3075249) and (KB3080149), another reappeared as

    Important “Update for Windows 7 for x64 based Systems (KB3068708)”

    The important one was the “Update for customer experience and diagnostic telemetry” Important to who, NSA?

    The “KB3068708″ Update for customer experience and diagnostic telemetry” did not reappear as an available patch. It may be dependent on one of the other three removed bits
    2) Before the uninstall, I had foresight to search the infected file system
    for .manifest with a common namespace string called assemblyIdentity which is set to a string value “Microsoft-Windows-Authentication-AuthUI.Resources”

    The before removal search listing files which matched the above search constraint yielded 62 matches in 52 manifest files.

    The after removal search listing of files which match the above search constraint yields 74 matches in 64 manifest files.
    Conclusion, the removal did not remove the manifest files pushed in the original infection.
    3) In a read of KB 3080149, it indicated it installed and updates / requires maintenance of a file named utc.app.json

    Before removal, the file file was found in 6 places on the infected filesystem
    After “removal” the file exists in the same 6 locations, same filesize just waiting for re-use and reinfection.

    discovered and removed using the disribed method 22 additional implants
    Found all 6 utc.app.json were removed and it had left two backup copies under the name utc.app.json.bk
    in
    C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings
    C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings
    in the same directory, found a backed up file telemetry.ASM-WindowsDefault.json.bk

    In order to see the hidden system directory, you must elevate to admin
    dir wont show the rest of the telemetry files unless you clear the files attributes
    An Elevated file explorer will show the files
    Files wont be readable until you change owner permissions or change your running user principal context to that which does allow access to the file.

    telemetry file content
    {
    “settings”: {
    “Microsoft-ApplicationInsights:::sampleRate”: “100”,
    “Microsoft-ApplicationInsights-Dev:::sampleRate”: “100”,
    “Microsoft-ApplicationInsights-Dev:::latency”: “Realtime”,
    “xbox.xsapi:::sampleRate”: “100”,
    “Office:::sampleRate”: “100”,
    “Skype:::sampleRate”: “100”,
    “Census:::sampleRate”: “100”,
    “Microsoft.Windows.Appraiser.General::ms.CriticalData:sampleRate”: “100”,
    “Microsoft.Windows.Appraiser.Instrumentation::ms.Telemetry:sampleRate”: “100”,
    “Microsoft.Windows.Compatibility.Asl::ms.Telemetry:sampleRate”: “5”,
    “Microsoft.Windows.Inventory.General::ms.CriticalData:sampleRate”: “100”,
    “MicrosoftTelemetry::ms.CriticalData:sampleRate”: “0”,
    “MicrosoftTelemetry::ms.Measures:sampleRate”: “0”,
    “MicrosoftTelemetry::ms.Telemetry:sampleRate”: “0”,
    “Setup360Telemetry::ms.CriticalData:sampleRate”: “100”,
    “SetupPlatformTel::ms.CriticalData:sampleRate”: “100”,
    “TelClientSynthetic:HeartBeat_5::sampleRate”: “100”
    }}
    content file of utc.app.json
    {
    “settings”: {
    “UTC:::GroupDefinition.MicrosoftTelemetry”: “f4-Redacted data-6aa”,
    “UTC:::CategoryDefinition.ms.CriticalData”: “140-Redacted data-318”,
    “UTC:::CategoryDefinition.ms.Measures”: “71-Redacted data-63”,
    “UTC:::CategoryDefinition.ms.Telemetry”: “321-Redacted data-32”,
    “UTC:::GroupDefinition.Microsoft-ApplicationInsights”: “0d-Redacted data-d0b”,
    “UTC:::GroupDefinition.Microsoft-ApplicationInsights-Dev”: “ba-Redacted data-3d”,
    “UTC:::GroupDefinition.xbox.xsapi”: “53b-Redacted data-af3”,
    “UTC:::GroupDefinition.Office”: “8DB-Redacted data-155”,
    “UTC:::GroupDefinition.Skype”: “9df-Redacted data-a89”,
    “UTC:::DownloadScenariosFromOneSettings”: “1”
    }

    To mitigate future infection, am considering removal alteration or perform a revocation of file permissions to utc.app.json and the hinky manifest files.

    4)Re the connections the malware opened, which may or may not have Mitm certificate pinning mitigation. My personal opinion is to mitigate by locking access to the data ex filtration end points.

    Firewall now blocks outbound access from your network to
    vortex-win.data.microsoft.com
    Name: VORTEX-cy2.metron.live.com.nsatc.net
    Address: 64.4.54.254
    Aliases: vortex-win.data.microsoft.com
    vortex-win.data.metron.live.com.nsatc.net
    vortex.data.glbdns2.microsoft.com

    settings-win.data.microsoft.com
    Non-authoritative answer:
    Name: OneSettings-bn2.metron.live.com.nsatc.net
    Address: 65.55.44.108
    Aliases: settings-win.data.microsoft.com
    settings.data.glbdns2.microsoft.com

    Chances are that anything outbound to “.data.microsoft” should likely be blackholed if you opt out of the “Idiots Do Opt Having Pervasive Surveillance Patches” IDOH-PSP program for short.

    Hope this helps to bring most of the malware workflow, as is early info on this new day of vendor sponsored in your face implants, info will likely be incomplete.


  • How To Download YouTube Videos FREE – No Program needed

    How To Download YouTube Videos (without IDM or Any Youtube Downloader)

    1. Open Youtube Video you want to Download in your browser. See sample below

    [​IMG]

    2. Type “ss” in before word youtube in the link.“Look at Sample Below

    [​IMG]

    3. After than a new website will opened – https://en.savefrom.net/

    [​IMG]


    4. Now you can download youtube videos.


  • Reports claim Windows XP can be updated via registry hack

    [​IMG]

    Officially, Microsoft stopped releasing automatic public updates for Windows XP over a month ago after over 12 years. Now a registry hack has been found that, when placed in the OS, allows it to continue receiving updates.

    The hack was first reported by BetaNews and later confirmed by ZDNet. By making a few changes in the registry of XP, the hack basically tricks the automatic update servers at Microsoft into thinking the OS is Windows Embedded POSReady 2009. The OS is based on Windows XP Service Pack 3 and it will continue to get security updates from Microsoft until April 2019.

    The specific registry hack works with 32-bit systems but the owners of the few 64-bit Windows XP PCs can find a workaround on this forum. However, it’s more than possible that this method will be short lived as Microsoft could make changes to block any securty updates that use this hack.

    It should also be noted, as Microsoft has done many times, that Windows XP is well over 12 years old and PC owners should really upgrade to a more recent version of the OS that will not only keep getting security updates but will be more secure overall.


  • Apple MAC OSX Tricks and Tips

    Startup Shortcuts

      • Hold the ‘x’ key during startup. This will force the Mac to boot from OS X, no matter which disk is specified as the startup disk.

     

      • Hold the ‘c’ key during startup to boot from a bootable CD or DVD.
      • Hold the ‘n’ key during startup to boot from a networked computer that has a NetBoot volume.
      • Hold the ‘t’ key during startup to boot in FireWire Target Disk Mode. This mode lets you use any Mac with a FireWire port as the source for your bootup system.
      • Hold the ‘d’ key during startup. If the Apple Hardware Test DVD is in the optical drive, the Apple Hardware Test will begin.
      • Hold the option key during startup. The OS X startup manager will appear, allowing you to select a disk to boot from.
      • Hold the shift key during startup. This will boot your computer in Safe Mode. Safe Mode disables login items and non-essential kernel extensions from starting up.
      • Hold the command + r keys during startup. This will cause your Mac to use the Recovery HD partition, which will allow you to restore OS X Lion or later.
      • Hold Command + ‘v’ during startup The command key is the key with the cloverleaf symbol. This shortcut will boot your Mac in Verbose Mode, with descriptive text sent to the display during the startup process.
      • Hold Command + ‘s’ during startup. This shortcut will boot your Mac in Single-User Mode, a special mode used for troubleshooting and repairing complex hard drive issues.
      • Hold down the mouse’s primary key during startup. On a two- or three-button mouse, the primary key is usually the left button. This shortcut will eject a CD or DVD from the optical drive.
    • Hold Command + Option + ‘p’ + ‘r’ during startup. This zaps the PRAM (Parameter RAM), an option that long-time Mac users will remember. Press and hold the key combination until you hear the second set of chimes. Zapping the PRAM returns it to its default configuration for display and video settings, time and date settings, speaker volume, and DVD region settings.

    In all cases, you should use the keyboard shortcut combinations immediately after pressing the Mac’s power switch, or, if you used the Restart command, after the Mac’s power light goes out.

     

    Visit our Repair section and services, or Call 754-234-5598 to repair your computer online for a small fee

    www.ccrepairservices.com


  • Windows 8 Safe Mode F8 How to

    Windows 8 introduced a new boot loader that decreased the time that it takes Windows 8 to start. Unfortunately, in order to do this Microsoft needed to remove the ability to access the Advanced Boot Options screen when you press the F8 key when Windows starts. This meant that there was no easy and quick way to access Safe Mode anymore by simply pressing the F8 key while Windows starts. Instead in order to access Safe Mode, you would need to either start Windows 8 and then tell it to restart into safe mode or for Windows to fail to start, where you could then tell Windows reboot again into safe mode. Regardless of how you did, it became a 2-3 step process to access the Windows 8 Safe Mode rather than a 1-step process that we have become familiar with.

    In my opinion having access to diagnostic tools quickly and easily is more important than shaving some seconds off of the time it takes Windows to starts. With that said, this tutorial will explain how to enable the F8 key in Windows 8 so you can quickly and easily access the Safe Mode boot options and other diagnostic tools. As a bonus, by enabling this option on a dual-boot system with multiple operating systems, you will now find it easier to select the operating system you wish to use when you start your computer.

    To enable the F8 key in Windows 8 you will first need to open an elevated command prompt. by running the command promt with administrator access.

    When the elevated command prompt is open you will be at the C:\Windows\System32> prompt. To enable F8 in Windows 8 you need to type the following in the command prompt and then press the Enter key.

    bcdedit /set {default} bootmenupolicy legacy

    Once the command has been enter as shown above, press the Enter key on your keyboard. If you entered the command correctly, Windows will report that the “The operation completed successfully.”. You now need to restart your computer for the change to go into effect. With this settings configured, you can now press F8 while Windows 8 starts in order to access Safe Mode and other Advanced Boot options.

    If you would like to disable the F8 key and go back to the original Windows 8 setting you can open an elevated command prompt and enter the following command:

    bcdedit /set {default} bootmenupolicy standard

    Once you enter the above command, press Enter on your keyboard. If you entered the command correctly, Windows will report that the “The operation completed successfully.” and you should now restart your computer. The F8 key will now be disabled in Windows 8.

    COMPUTER REPAIR SERVICES for Dell, Apple, Sony, Samsung, Toshiba, HP, Compaq, Asus, Fujitsu, Gateway, Lenovo, Acer and more