Manually remove: Win32.TrojDownloader.NsPassT

Tools you will need:

o XueTr 

o Autoruns

► First, you will need to run XueTr. Once you open it up you'll see a process marked in red with name "svchost" ,right click on this process and press Force Kill.

- svchost - PID (1088)

► Rename the 'autoruns.exe' to (ex: autor9.exe)

click on the [Image Hijacks] ,and UNCHECK EVERYTHING found on the "Image Hijacks" tab.This is where the malware puts entries to stop you from launching cleaning tools. (this is why I had you rename autoruns).

• Image Hijack Registry keys : 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows  NT\CurrentVersion\Image File ExecutionOptions\

► Make sure you delete all the following files :

the virus export function explore to Get ShellExecuteA, and call the "explorer" and open the current directory for each drive.
A service DLL in a SVCHOST process exports ServiceMain function as its entry point for starting services,
if the name is not ServiceMain such SchedServiceMain , SvchostEntry , W32Time,SvchostEntry then it must be configured in the registry as the data for the following value:
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\service\Parameters]
in order to be executed on startup with full OS privileges.

So let's take a look at how it works :

► Our next step we will need to download the files that we have deleted and copy it to system directory :

schedsvc.dll
srsvc.dll
w32time.dll
wiaservc.dll
appmgmts.dll

► Delete Windows Hosts file entries that can be found under %SystemRoot%\system32\drivers\etc\hosts

► Now, restart your computer and relax.

HONEY POT: Hack Hackers

What is HoneyPot??
In layman terms we can say it is a trap set by the administrators for the hackers, to fool them or to make them believe that they are hacking into admins system, but instead of that hackers are getting hacked by the admin.

How does this work??
This works by presenting the hackers a foul scenario where , hacker thinks that he is penetrating into the system but instead, he is going no where except he is playing in the world created by the admins. By doing so, admins are able to check all the malicious activity of the hackers like what all ports hackers are trying to    
connect, what files they are trying to upload, which all sections they are trying to access.





HonyPot is mainly designed to trap the hackers, or present a virtual system to the hackers which never exists.

Technically, Honeypot tries to listen to all the ports on the system, and whenever hacker tries to port scan the system, it gets a list of open ports which he thinks is open but actually, it is the opened port which is shown by the honeypot behind the firewall, so when ever hacker tries to access some random port say 100, then he is accessing the honeypot not the system,

Above scenario can be visualised better: Install a VM ware on a system and run any low version of windows or linux on it with all ports open, and port forward those ports on the host system, so when ever hacker tries to fingerprint or try to do port scan, then he will be gettng info about the VM ware not the host system, hacker may be able to penetrate into the VM ware OS, but our HOST OS remains safe.

But there are mainly deficulty in doing the above job , so special application is created called HONEYPOT to do this job and many other jobs like tracking of packets, file access etc.

There are mainly 3 types of honeypots available:
1.Small: Mainly keeps the log of ip-address which are trying to access your system alongwith the port
2.Medium: Its functionality is little advanced, keeping track of files accessed, time-period, hosts etc.
3.Large: It provides all the functionality, but the main feature of these kind of Honeypots are security feature, these can simulate virtual os for the outsiders or hackers very well.

In this article I am going to give the example of HoneyPot of small scale for Windows.
HoneyPots are available both on commercial platform and also as open source, I am taking the example of KFsensor which is freely available here.

STEP 1: Download the KFSENSOR and winpcap.
STEP 2: Restart your system, start winpcap server from the folder menu where it is saved mainly in c:\ drive
STEP 3: Start KFsensor, do as promted in the window , it is mainly for the configuring of your new HONEYPOT.
STEP4: Done, keep your system up for the packets scanning.

KFSensor screenshot

*****************                                                              

for more information about this program and how it work please check this video                          

If you want to learn about the latest types of honeypots, how they work, and what they can do for you,this is the resource you need :

Virtual HoneyPots :From Botnet Trackning To Instrusion Detection
*****************