Category: Geeks r Us
The recent outbreak of a screen reader catastrophe that resulted in many people not being able to use their screen readers has been solved. What it does is screw the mbr in such a way that none of the screen readder except nvda will work. The program that is causing this is the hjook.dll in a jaws 8 crack that has been floating around. It is a self destructing program set to go off on December 26th. This crack is for jaws 8.0.2173.
I suggest to all who have gotten this infected/slyly modified dll to from now on make a ghost image of a new or good install of your Windows. Do not accept files who you know are from people with connections with Tyler Spyvy, since he has been creating these sorts of files. I'm not finger pointing but what I am doing is letting those of you who do not know that Tyler Spyvy is very big, and good, with hacking and creating viruses. No virus programs or malware detections programs will find it.
The lines of code are wirtten in C++ and are not known as of now, but those of you who are willing to and are programmers can disect it.
I hope this has settled a lot of nerves.
I also hope I don't get banned, but this is for the good of others who might otherwise have done nothing wrong.
Credit for this is going to Spike and his friend urigs, here on ehte zone.
what a prick. i never heard of this kid. i'm glad i don't know him. I hope i don't meat him either.
Contrary to popular belief, I am not the creator of this thing. I got hit with it myself, and, rather than yelling at everyone asking how to get rid of it, simply reformatted my computer. This virus seems annoying, but harmless. Back up your data and reinstall windows. It's not rocket science, and only takes a few hours, a day at the most.
If you wish to make a reply in which people will take you seriously, please check your spelling. I have an ever growing pet peive about spelling. While I probably am not the best speller in the world, I do think you should at least proof read enough for eloquence to read your message correctly. Anyways, that is not what I am posting this reply for. What I am telling you is that you should do more investigating before you try to make assumptions about the solution. You are claming that it was a feature of a JAWS crack. I know for a fact that Tyler obtained the crack from someone else. I know people who have this crack and it doesn't effect them at all. Also, you're suggesting that this crack is killing JAWS. You fail to realize that this thing also gets narrator, window-eyes and hal. To say that a JAWS crack is going to do that is a little incredible. Also considering the fact that many of the people who got this thing were in fact not running the crack. Tyler Spivey was on JAWS seven and he got it himself. Don't point fingers until you know the facts. I'm not protecting people, I'm just trying to keep people from being falsely accused. Perhaps Tyler did code this thing. I don't know. I will however tell you that this is not the nature of his coding. Tyler takes the more play reggaeton, hitler and country on everyone's computers approach. Weather he puts a remote script on your computer or if he just sends a file, it doesn't matter. Also, in every script he has written, he always disables system restore. In this one, it is not disabled and it may work for some people but it does not for others. Also, I program a lot with Tyler Spivey so I talk to him frequently. I have never once heard of you (c-dog) ever. Don't talk about things that you don't know about.
Look, I do understand that you might be upset by everything that is happening. I don't know if you got this virus or what ever it is or not. But I know that you all may be a little up tight and worried about this thing which is still hitting people even after mid night of 12/26. I understand fully the panic that this might cause. But please use your judgement. The problem can only be solved by thinking of the solution. And the only way to think of the solution is to add up all of the facts. Not just some of them. Pointing fingers will also not give you a solution. It will only get someone's names on a bunch of boards.
I am sorry for all of the people who have been hit by this thing. I empethise for you all.
ok, so basically that anser really is no answer at all. I found it quite fishy myself that something written into a JAWS 8.0 crack would also take down other screenreaders. It would sure as hell make sense if JAWS was the only screenreader effected and yeah, if you were running the particular crack of JAWS, that would make total sense. But I got news for you, dude, JAWS is *not* the only fucking screenreader people use. There is Hal/supernova, and Window-eyes, along with the free solutions like NVDA and Thunder. Since Sapi 5 synthesizers seem to be effected, logic suggests that somehow, a group of individuals have installed a piece of software that contains some kind of a rootkit that deleted any instances of Sapi 5, or there was a possible hack that happened, and someone hacked into people's computers and did this shit. Man oh man am I *ever* glad I don't use eloquence!
again you need to experiment. How did you get this thing? When? Experiment with NVDA. Which synthesizers work? Which ones don't? Is it a synth issue or a screen reader issue? Like I said, look at all of the facts and do a little problem solving your self. And as for the first post claiming that it was a c++ hack, what makes you come to this conclusion? If you make claims you really need to back them up.
Hi. Again, i'll quoat something and then respond:
What it does is screw the mbr in such a way that none of the screen readder except nvda will work.
Explain? I'm guessing that ruling out nvda is to do with the lack of an interseptor, but narator works fine with out graphics installed ie: no interseption, and it is also not working.
As I understand it, up untill very late on into the boot process, windows only uses generic display drivers ie: those that are used in safemode, so would this really have a big effect on things?
The lines of code are wirtten in C++ and are not known as of now, but those of you who are willing to and are programmers can disect it.
Feel like posting the source?
oh man. whoever is doing this obviously has nothing better to do. i really hope i dont get hit with it although it would give my husband an excuse to redue my computer like he has been saying that he would for a few months now
I do not have the source but when I get it I will post it. it is a dll so I don't know how I will get the actual lines I will see if I can get a programmer to get it for me thanks. As to posting 4 you are just defending tyler and probably don't know him very well. But again, I am not finger pointing, I am just stating what has happened and what i thought might've have happened. What you think and what I say are 2 different animals so don't prejudge me or anything I say. I never got the infected dll, but I know many many people who have, and one of them is a friend of mine who is how i know this.
I would actually recommend an experiment. If anyone has a clean install of xp in a vm, keep the machine disconnected from the internet, install monitoring software like FileMon and Process Monitor from Sysinternals, then install jaws, and then apply the crack. Install jaws 8.0.2173. Then reboot and see if it works. It will screw with the master boot record so reformatting is not the easiest thing to do for all people. Funny how it only effects screen readers. I have not clue how the thing works but I'm telling you what it does. As for the other screen readers, it will not allow them to install at all even after you reformat. If you don't believe me ask Urigs. He has experienced it first hand on 2 separate machines. I will be asking him to post here expressing his finding. The one program that did not work is DBann.
but by mentioning names, you are pointing fingers, no matter how many times you deny it. I'm not prejudging you, I'm telling you to make better judgements. Your experimentation is a good idea, not pointing fingers. I'm guessing you have heard of tyler from stophackers.wordpress.com (in fact, that was tyler). I'm also guessing you have never reaklly talked to tyler. If you have, you are more than welcome to correct me. I am not defending anybody, I'm getting you to the more realistic part of things. Reporting Tyler is not going to do anything to stop this thing. It is already out. Investigating will however stop this thing. I don't even know where you got his name from, but it would be a better idea to go and look into it and see if he would really do such a thing rather than putting his name on a public board.
And what do you have against eloquence? I leave my machine on all night without any problems. Someone is out to have fun with others and sure as hell am going to stay off ftp servers and keep away from those that have contact with dangerous programmers *not pointing to others*. I am not one myself and hvae no idea but am told by a programmer what the problem is. I ain't got a clue how it works only that it does it.
well then, what is the problem so it can be fixed?
You are not listening to me. I mentioned Tyler's name because I've known him to do mean and malicious things to other's machines. I don't know if he did it or not. I only speculated. I told you what the problem was. Maybe you should read my posts instead of saying what you want to say. I don't know how it works I only can tell you what it does. Ask the programmer how it works. Oh thats right we don't know who created the thing.
This is probably all speculation. Nobody really knows.
read above 14. I've stated what it does. Problem now is how to undo it. A format doesn't work, however a ghost does. It's also a lot faster too..
Ah no one has talked about preventing this virus, nor have they said what there computer practices are. Sometimes people your friends mess you up not meaning to, and free software like cracks and such are open to issues. Free sometimes is simply not best. FTP Servers are private affairs, and my rule is if you can not send a file to me over regular channels, or I must go private I first must know the person, or I do not want the software. This goes for music, crack programs, and you name it. Your habits are you worst issue. Clean up these and live.I noticed while writing this post my spyware kicked off a warning? Why would this be. SMILE You get what you pay for sometimes people.
hmmm, I think the problem is not with ftp or anyone here, after reading this post, I think it is much deeper something no one can get at this time. I don't think logging, or formats are going to do it. I don't know what tyler did differently but read the following post that neighbors this one.
Post 13 of 15
louiano
Ignore louiano
i just keep on posting!
845 posts
today 21:26:42
while testing the software (or cause) as mentioned might sound reasonably competent, the fact that the source is not fully predictable at the moment makes this rather a sort of wasting of time. I know this since i have reformatted, messed with the registry, logged and monitored system changes and am behind a router. If this were people hacking on other's computer as i would expect it to be as well, there is an issue which should be resolved. For a fact, we do not know if anyone who does not use any screen reader is not capable of running narrator at the moment. ONe of my friends has a computer that does not have internet currently and I recall that no screen readers were installed on his machine. I used narrator not too long ago on it without any success. The fact is, when narrator is started the window will flash briefly and then disappear. Sapi 5, however, works fine with the non-visual desktop access screen reader. on the other hand, if any of these drivers would be "deleted" or "hacked into", the error should be reported by the application through some form of dialog box or log. Scanning the disk as mentioned above, while intuitive, will not work. This is due to the fact that i have reformatted my hard drive twice, first with the sucky windows tools and secondly with low-level formatting (google is your friend for that term) and nothing changed; the problem obviously still occurs. Lastly, one of my friends who seeemed to have this virus (or, if possible, maybe even boot virus) got a new hard drive and things have been alright again. He claims that he is however, using the "cracked version" of jaws successfully. I wish there was a bit of more detail on this from more users; however my findings are pretty much the same. Writing a fix for this would probably be a much more involved task than just getting and new hardrive or even flashing the bios and reinstalling it all. If any information is obtained on formatting or erasing completely the boot sectors I would really apreciate it, as this would enable me to go a step further on my experimentation. I notice too that vista users are not affected as of now, perhaps there is better control over the boot modification than there is on previous windows versions. I am afraid I have lost 2 hard drives at this time if nothing else can be done.
give me any credible evidence that it was Tyler. I talk to Tyler pretty much every single day. He has done a lot of stupid things in the past. Victim, keygen scripts etc... But even if it was him, how would you know? Has many times as I have talked to Tyler, I have never once heard of you. Maybe Tyler did it, I'm not defending him, I'm not ruling him out, but it seems like you are trying to make Tyler the only person who could have possibly have done such a thing. Perhaps you're right, perhaps you're wrong. But I have never heard of you before this post and that obviously means you don't know Tyler that well. As for my ask the programmer thing, I thought you ment that you talked to a programmer that figured it out. I didn't think you ment some anonymous programmer. And as for you not knowing who the programmer is, if you really think it is Tyler, go talk to him if you know him so well.
I dont' know tyler, don't care to and I never blamed him again i only speculated. I don't know him he don't know me. let us keep it this way. But on a more alternative note, I am beginning to think that it might jokingly be the fbi and my friend shaun has also speculated about this, and I got to thinking about it, and I wouldn't doubt it for a second. And yes, I have also learning that sighted people have gotten it. So no, it probably wasn't tyler.
lol I have heard fbi, I've heard Microsoft has released updates to disable all screen readers, I've even heard that FS did it to make everyone go to JAWS 9. (But that rules out Window-eyes and Hal and Narrator). Actually, freedom scientific has been contacted about it, and even they are pointing fingers. They claim that it is skype's fault, everyone was on skype at the time and that it is being transfered over a security vonerability on their network. LOL it is amusing what people will make up. We'll have to keep and open eye out to see what it really is, but until then, the conspiracy theories are entertaining.
we are not making things up, we are simply speculating since no one apparently knows anything about anyone now. It couldn't not have been skype because many people left it running all night, and even people who were not one skype got it. So shove that in your pipe and smoke it.
damb dude. I highly doubt that it was the FBI. I'm not stopping you from ruling this out, I just find them funny. You should rurule out nothing. I don't know what to believe and I am open to all points of view. I just find certaqin theories funny. The forced upgrade to JAWS 9 was one of my formmer theories until hearing about window-eyes. You don'tr need to yell at me for simply finding the humor in something.
Yes the pipe thing was sarcasm. But now we've seen some of the simptums I'm baffled. I also can't believe FS is even being called. I'm also being told that now zip and rar archives are being infected. I'm going to say, who ever wrote this is damned smart and wouldn't want to piss them off in any shape or form because I'm sure they could do worse.
well, at least there is something good out of all this. the comitions for the blind will have to look at nvda now, especially if it keeps hitting people. lol. i've gotten it myself, and was the one who jokingly speculated about the fbi, which i don't think is true. lol. I know that it hits all of the screen readers and will only let nvda run. also it knocked out my visual c++ runtime libraries yesterday, and they're strangely back. its very strange. Also, system restore is disalbed on my box, and was before this ahppened, so it would have been of no help to renable it. lol. Well, i'm not sure about the reformats though. tyler did that and it worked, and so did blake. they have had success, but others haven't. its mutating, or at least it seems to be doing that.
this back and forth shit is pointless now. Might i suggest that we not talk about this until an answer or more credible info is actually found? As for posting the code, i'm pretty damn sure that due to legal reasons, the CL's would have a huge fucking problem with that, so if someone obtains the code in this dll i would suggest posting it somewhere else and letting people with more advanced knowledge look at it and try to figure this out.
also, it seems like something that hits a lot of people, not just blind people. I have sapi 5 working fine on my end, and currently using nvda. also, its fun to speculate, but we don't know firstof all, who created this thing, second of all, what it is, rootkit, virus, or trogin, and thirdly, we don't know of al of its affects, other than a few of them. its like trying to complete a math problem with only one number, it just isn't doable. I'm just telling you what i know, and that is that who ever wrote this, they're damn good. But I would highly doubt that the mbr could survive a reformat, so this thing could not just hide out in it. Again, i don't think it was tyler, since he got hit with it hiomself, and for a while i thought it was the fbi, hitting people who are pirating screen reading software, but taht's out, since a few friends of mine who have legal software also got hit. lol. just a thought.
interesting discussion; now, having my post on another post like this is something i would not have expected at all; although I will not be oposing it, since the more it is spread it migh alert others of how highly effective this can be. Something that can work for most of you as far as I have discovered, is to revert the date back to July of this 2007 and then use D ban and reinstall xp (clean). You'll have six months left unless you keep on misteriously setting the pm switch back to the A. M one. Anyway, not sure how, but I am really possitive that this is what is known as a virtualized rootkit. Upon some reading on wikipedia (which again might not be verifiable) is that these rootkits mess up the boot record sectors and thus create a virtual system which loads a "nicely clean" copy of the operative system and thus being the lowest kind of them. The reason why this can be so is because reformatting and reinstalling the perative system will not make the problem go away. i am not sure, if there is any way of reformatting the mbr other than the sucky "fdisk mbr." If there are new hard drives that are unaffected and the date can be changed (along with the deletion of the cryptography backslash rgn key on registry and also the key named UserAssist) I strongly suggest into further investigation for such kinds of rootkits and perhaps how to solve the issue. I hope and really do intend, for this temporary work around to works for all of you as well. So what, school's coming and jaws is damaged. If freedom scientific cannot solve this, nor gw micro or the makers of hal, I could say that this is going to make some sor of history. Oh, another proof of this being a virtualized rootkit follows: If you try to install jaws 8 (the one before 1730 it installs sucessfully with the following error at runtime: Cannot find FS Scan maps.dll, ok button. Now, upon more exploration, the file resides where it is supposed to be; but yet anoher function that these rootkits have is to hide this data from the system on a windows operating system. Hopefully speculation can go more towards the solution of the problem and not towards blaming someone. Cheers
I apologize for post once more but I guess firstly my spelling sucked and secondly i was not clear on the temporary workaround. What i did exactly was to change the date back to July of this year, reformat my computer, reinstall xp and jaws (both cracked and authorized) ran successfully. If you set the date closer to the deadline (2008) to say December 24th, it will report a message on a time limit on jaws 8 versions apparently, saying "you have X days remaining." Window eyes or lower versions of jaws donot seem to report it. Back to the workaround. After installing xp with the changed date, go to the registry and delete the keys under cryptography: rgn, and also a key named Userassist. Do this after installing jaws. I am not sure if this will work for all of you but again, I hope it does; the keys will be created again anyway, but they change on cryptographic hash (that is, the data on them is not the same as that one it was before). Aparently, these keys are used by windows and some other programs and documentation on them is rather obscure and very little.
as I understand it for a rootkit to be installed, you have to install some other kind of software for it to hide itself in there, because other than someone hacking into your computer i can not think of a way for this to happen. it makes absolutely no logical sense that your screenreader would *just* stop working, just because. If that were true, everyone in the world would have this problem but guess what? lots of people don't but some do. so either a rootkit is involved, someone is just being incredibly stupid, or maybe both.
o, and the makers of hal: dolphin.
You all should do a virus scann because it might pick something up, or 2.
Interesting. Vary interesting. I'll keep reading I interested in the outcome.
yeah do a virus scan and get a braillenote. it's got the power of the KeySoft layer: NO third-party apps! amd it's running windows ce. and works perfectly with the zone!!!
ok, so the other post on this topic says we should look at the audiogames forums and then the person on the audio games forum things he's all incredible with his new "blind viruses" trend. What, there will be tons of them more to come? I just gave it up and decided to just get a new hard drive. This is pretty strange though, that it "requires no interaction", according to some posts on various forums. If it is a warm, then what kind of worm is that? i only know of a posibility; a so called "bomb" program which goes like "after this date, do that." Or, after this many runs, or at this given time, this will happen. As far as the rootkit... I discard that posibility now since i cannot thing of any software that would indeed, make your screen reader stop work just because . With this new hd, even the so frowned upon cracks and all other versions work just fine. WHo knows what happened at that particular day. Its like that time when for some reason microsoft's copies of the "genuine windows" operative system suddenly reverted to "invalid" products. All this lisencing and what not makes things aggrabating... but even if the software would be sold on cds, there would be people who would extract contents, or make copies, or the like, and then distribute; so to me it really doesn't matter if people use "cracked" or "legal" versions, because either way, most software has already been cracked anyway. I also scanned the old hard drive by a rescue disk from notrton, AVG, and none of them returned any results of infection whatsoever.
wow. that's strange that there was no infection on your hard drive. on thing that is interesting, is that skype is not to blaim, because of the fact that i was not on it when this happened, and i'm still running nvda here. lol. i'm a little nervice about turning on any other computers since i don't know if this could end up hitting them, so i kinda can't do my homework at the moment, since msn causes nvda to almost crash. lol. But back to what i said before about the virus mutating on everyones systems, here's what i mean. I got hit with it, and at first my visual c++ runtime libraries did not work, and a day later, i was able to launch skread, which uses them, with no problems. Also, I do not have system restore enabled, and some people who did were able to restore their machines, and others weren't. Also, my friend Keith's old pentium got hit, and he had a file called s.bat in his startup directory or something like that, and just deleted it and it was fixed. I however, don't have anything in my startup folder. I do have an svchost.exe running as administrator though. lol.
Oh yeah, and one thing i do have installed is Hijack this. Ryan was asking for a hijack this log, so i've got one right in front of me. See what you think of this.
you've got hal and window eyes? maybe it's putting modified versions of there startup or app files there?
yes, i've got hal and window yees, but i don't think its doing that. this thing will not let me install them either, since it disables the application managment service, weell it did, and now its back, omg! anyways, see how strangethis thing is being? things go off, then a day later they're back on again, and off and on, and more things go off and some new ones turn on... lol! its mad! the virus of madness! programmed to drive users, er, victums insane through stopping and starting critical services at random times! lol! anyways, no, this has not modded the apps files that i'm awhere of. the services are just not starting. that's all that is happening with it. the programs are still there, well, accept for jfw, but they will not run because of what this thing did.
Try taking two hijackthis logs, one when application services is stopped, and one when it is not.
One entry that concerns me is
"O23 - Service: Remote Desktop Help (Remote DesktopH) - Unknown owner - I:WINDOWSHeland.exe"
Do you know where that comes from?
Bob
I've had this virus, and I'm not sure if I still have it or not. Here's what happened.
I got back home on the 26th from visiting family this christmas, and when i tried to get on my computer, jaws just wouldn't load. I have had jaws telling me that I was running a demo and it was due to expire in 10 days blah blah blah, but I didn't think much of it. Then I reformated the computer, and jaws would work the first time, but then if I rebooted, it would die, so I'd reformat again. I got a new hard drive, and I changed the date to july first before doing anything else, so jaws worked. I may still have the virus, but as the date is changed, it doesn't do anything.
That virus also got my mom's box, since the crack was on it. Oh, and is it true that infects zip and rar files? It better not, heh. Anyways this is the end of my story for now, I'll post if anything else happends.
I don't think that's a virus though. JAWS 8 seems to have this "demo will expire in ten days" bug. I've come across it a few times now on this Vista laptop, I press OK and everything but then I just go in to the Help menu, re-enitialise the authorisation and serial numbers so it doesn't give me the message again for quite a few weeks, but there's certainly no need to reformat all the machines where JAWS 8 is loaded. I also ran a full quick clean, virus check and defrag with Mcafee, the virus software on all our computers the first two or three times it happened and very neat it is too, and it didn't find any viruses or anything, so yeah, it's just this little glitch with JAWS 8. Not a lot we can do about it, other than upgrade to JAWS 9 as that's available as of September this year, 2007 or just re-initialise JAWS when the message crops up again.
Jen.
O, and these dodgy viruses, time bombs, bugs with screenreaders Etc, are precisely the reason why I don't lay a 200-ft barge pole, let alone a single blimming finger on those fucking cracked versions of these things. I'll pay between £150 and £500 for a full, untampered-with version of JAWS for Windows if I had to, from Freedom Scientiffic, no other sources accepted on my desktop or this laptop, thank you. As a matter of fact, I got a sighted person/my mum, to download the full, untampered-with, legit, FS version of JAWS on to this laptop in the summer of this year, so I didn't get things like this stupid, pointless bug floating around on that dodgy cracked version.
Jen.
Hi,
First of all, I am new here. It is Ryan Smith, you may know me (I own) from the following websites:
It's not the jaws8 crack that effects this because I am running it now.
And it's the exact version listed in the other topic so that's not the issue.
It must be something else but what...
braille note nut, is your computer's date the correct date? Because if your computer's date is set to before dec 26th, or you are using a good jaws 8 crack like jaws 8.0.423 and not the bomb which is for jaws 8.0.2173, it'll work fine for you.
hello to all i am a user on here but haven't posted in a long time but i think that virus or what ever it is i hope gets fixed soon. until this is fixed i am going to not use windows since i whent out and got me a apple mac for christmas and have been getting used to it. hope every one has a fun new year.
Latest news: The O.N.C.E, the national organization for the blind in Spain, have broken their contract with freedom scientific because of the whole virus thing. My friend also told me that they O.N.C.E and fs got ahold of the jaws crack, and they say that this will be over in january. I don't know if they will release a patch, or the thing uninstalls itself in january. No idea. Anyways I hope that this is over soon.
Hi,
The entry you were talking about Bob
"O23 - Service: Remote Desktop Help (Remote DesktopH) - Unknown owner - I:WINDOWSHeland.exe"
Has no results on Google or any site. So that definitely is something. I'll try to get in contact with some of my security expert buddies from several months ago, maybe they'll know something. So, I need another log from a Victim. If those match, then that's our exe.
Hello Again, I am the "guy" from the AG-Forum, and it could have more on there, if there is any, hopefully there won't be though. I made it because, well there is the entire community thinking, this is it, or whatever, and this person thinks this or this person thinks that. This way, only the likely, or when the problem is solved, reasons will be put there. I am not sure what you mean by "trend", it wasn't mean to "show-off" of whatever you think, it is just a resource, just a resource and it is likely that it is "bomb" malware.
Thank You
Strange computer behaviours. I'm not sure if this has to do with this virus or not, but since I reformated this computer it's been acting weird. Messenger stopped working, windows tells me that there's no default browser like when I try to run a website it tels me there is no program associated with this file type, I've tried reintegrating firefox but nothing. Also IE properties are disabled.. This smells wrong. Is anyone else having these issues?
I'm using 8.423 for jfw crack. Jfw is just so much money and all, it's a wonder why FS is still in business. lol.
I really really don't think it's the JAWS crack, since my friend Tristan's got this thing and he actually bought JAWS and somehow got smashed with this thing, so now I really don't know. This is a real fiasco though.
OK, I'm thinking... that this worm or virus or trojan or boot sector modifier or rootkit can bind into your exes and when you run them it installs? Although it's very unlikely, since I've checked many exes and their sizes are the same.. what do you guys think?
Why does this thing affect certain people. This is so weird. My friend reformated windows and everything seems to be working fine.
to post 42. You are the most ignorant person I have heard. This has nothing to do with jaws cracks now. I is effecting legal copies of jaws. Please read before posting random things.
No flaming please guys.. if we want to solve this problem, we need to work together and take flaming somewhere else.
ok then you guys explain why I'm running both JAWS 9.0 and have Window-eyes 6.1 installed and looky here! Everything's working fine, I have no issues with my computer, everything's beautiful, yet some of you guys have this incredibly weird shit going on? Again I say this is a concentrated effort. By this I mean, a *specific* group of individuals was targeted for this to happen. Want proof? Check out some of the blindness technology blogs like the desert skies at, http://www.jeffbishop.net. see? Nothing about any JAWS virus on there. Or how about we take a look at The Blind Geek Zone, http://blind-geek-zone.blogspot.com. Also not a single word about this. There hasn't been a single word about this posted to any of the blindness related e-mail lists i'm on, and I'm on several mostly relating to JAWS because that's what I use most of the time. Also there would be a mention of it on the Freedom Scientific website, and guess what? Nothing about it. if this effected hundreds of thousands of people you can bet this would receive a lot of attention, but guess what? It hasn't, and you guys who got this thing, wether you realize it or not, were in the presence of someone that decided it'd be fun to mess with you for a while. I'm sorry as hell it happened, but the point I'm trying to get across is that it's a certain group that was targeted, and it sounds like some of you still haven't gotten on track which is a damn shame. I'm interested to see how this all turns out. I'm just glad that this, whatever it is, hasn't been spreading further on the net. It seems to have done its job. It really sucks.
It is strange in deed, but I don't think it is a particular group of people being targeted because some sighted people are affected by this.
I agree with both Jeannie and DJToonHead, people are being targeted, are chosed at random. That could explain it, choosing random people, including
sighted, and mess with there sapi or sr.
Yes, if this was a really wide outbreak you would be seing messages about it on the microsoft website, and the discussion lists for every screenreader would be absolutely buzzing about this. But outside of a few threads about it here on this site, and a few live journal posts from people who had this particular nasty thing happen to them, I've not seen a single post about it or heard one mention of it. Perhaps someone needs tocontact one of the antivirus companies and submit the offending files for analysis. If they don't know it exists, they won't be able to fix it. Obviously there's some kind of vonerability in windows that would allow this to happen, and I'd much rather there be a virus definition update to squash the bug rather than it happen again to a whole group of people. Another bit of advice. anyone having this problem, I would be very very careful around the 26th of January as well. If you get the problem fixed but the offending file is still hanging out on your system and you don't even know it you'll just end up going through this whole mess again. I'm not saying this because I have any kind of inside information, all i'm saying is that I know how some of these viruses/trojan worms work, and some of them are a bitch and a half to get rid of. So if any of you get your systems fixed, lock down your network and try to avoid using skype or any kind of file sharing programs or anything that would let any other untrusted individuals access to your system. The story just keeps getting more interesting.
So it looks like reformating windows does not work. Are there such things as extremely rare viruses that only get a few people? And why screen readers? Of all things. This thing is the last thing I want to get after reformating earlier this month for another reason.
I have been using a legal copy of JAWS and I haven't had this virus get into my computer. Well, that's becaues I use Zone Alarm, AVG free, all that stuff. I kind of agree with what Tune Head was saying about the whole people being targetted and everything. I would love to send this file to AVG and Zone Labs so they could see what they could do about the virus. But I have no way to obtain that file.
I think that I'm going to notify Kasperkey labs about this too, sence I also use them too for virus protection.
So is the file like some spyware/virus/root kit? Even know they say that is a virus, there could be something hiding its processes and stuff. Which would be the rootkit part of it.
This thing will never be solved, at least on this site, unless some of you would quit making guesses and post more hijackthis logs. Or give us data concerning the state of your infected computers.
If some of you with the problem would tell us everything that's running on your machines then this cruel and childish hacker could be stopped in his/her tracks. There's nothing magic about a hacker's work, it's just one more computer program.
Since the problem seems to effect programs like HAL, Window-eyes and JAWS, I would suspect someone tampering with the video display chain. But, since it also effects narrator and not nvda, this guess is suspect too. But, that's how you break a hack: you gather data and make educated guesses and then test those guesses. You don't do it by pointing fingers etc.
I'll have to review my notes on hijackthis, but I'm pretty sure there are ways of stopping certain processes from running. Then you re-check to see what effect this has on your machine.
In other words, quit pointing fingers, bemoaning the way things are, and give us clues concerning what's going on.
Bob
I have it. for you guys on skype, Cody, its Tristan. Shaun, its tristan. I have reformatted 3 times, and am going to try the date fix, putting the date back then reformatting... Thank you...
Hi,
Wow, reformatting doesn't even work. That's just..sad. I 100% agree with you blbobby, we can't just say Tyler did it, or whatever. Just keep telling us everything of what is going on. Here's what I want the infected to do:
Another real problem with this is, without usable sight, how are some of these guys going to be able to install hijack this to get a log sent?
and how will they even do all the requested stuff if they can't even read the screen? I'm not even sure how some of you are typing on here without a screenreader unless you have some usable vision. I'm using a perfectly legal copy of JAWS 9.0 and I've been doing so ever since JAWS 3.0 came out around 10 years ago when a lot of you were still in the third or forth grade lol. I've never even had a cracked JAWS version installed on my system. I've had a copy of it in my possession because someone sent it to me, but i never used it because i never really had to. I know it's not always possible, but come on people, stay away from these cracks, especially if you hang out in this particular group. I know screenreaders are expensive and not everyone can afford them. But look what happened? Now it looks like the only *real* sollution is to get a completely different hard drive and install windows on it. and as sad as it is for me to say, as much as i hate it, but Vista looks like it might be a good choice too. All the people hit with this were running xp, with a different combination of programs. But that's the common thread. So Vista might be good for you.
oh and btw folks, the proper spelling of my screen name on here is
d, j, t, o, o, n, h, e, a, d.
Nobody seems to ever be able to get this right. If you wanna find out how someone's screen name is spelled, just focus on the link with the person's screen name and then use your right arrow key and you can read the name letter by letter. to go back use the left arrow. I just had to throw that in since I've been on this site for roughly 3 years and people never seem to be able to get it right.
Anyways, it's a good thing that a lot of things are on sale around the holidays, maybe some of you guys can buy new hard drives and fix this problem. and STOP RUNNING CRACKED COPIES OF JAWS!!!!! You'll be glad you did.
First from what I've read it appears the vast majority if not all users who are effected are zone users. This makes me think the virus was spread through the zone. Second if people were getting NVDA through other zone users the crack could have been packaged in both NVDA and the jaws crack. Third if anyone has the installers that they think were cracked I'd appreciate if they could use yousendit or something and zip the installer up and send me a link. I'd like to use vmware along with the snapshot feature to try and figure this out.
hmmm... i ahve been infected... and i reformated 3 times... I repaired the boot sector
I don't think it's a Zone thing because some of my friends have it and it's not the crack either. If it was more people would be affected by it. So far it's more icilated.
The current attack seems to be over, but that doesn't mean there won't be more of them. So if you haven't been infected, take the necessary steps and don't allow your computer to fall victim to this.
I haven't gotten it yet, and I hope i don't anytime soon. I am using a cracked version of JAWS
I don't think admitting that you're using a cracked version of JAWS on a website is the smartest thing in the world to do, but hey whatever.
and if ya wanna stop some process from running check out essay evader! in the "new little program from me" post by malthe.
uh, i have done a repair of the mbr and just a fix boot in the windows repair console,, nothing... I have reformmatted 3 times, changed the date, nothing...
I am asking,
Can someone right a tutorial or a way to get rid of this thing and/or a work around? And if there are some backup methods of making my jfw work let me know....
thankyou
Time for a new hard drive for you! and no more JAWS cracks. If they cause this much trouble, the obvious solution, although expensive, is to go legal. I know that's not possible for everyone and I'm sorry as hell about this whatever it was, but this might be a hard lesson for folks about internet security.
Wow Tristan, that just sucks. Are you positive you are truly reformatting? I know many comp. manufacturers are cheap, and they say they reformat, but they are just reinstalling files. In that case, it would be possible for it to stay. There is not much I can do, I have 1 persons HiJack This Log compared to...nothing. Tristan, please send me a HJ log. I think its that suspicious entry, in HJ this you can delete entries. Other then that, I would say new hard drive. Can you repair Sapi? I still have many questions unanswered..:(. I would say that the hacking in done though. So those who are not infected are safe for now. So can someone infected tell me exactly what us going on and everything you have done as well as HJ logs and screen shots? Thanks.
I don't crack my jfw... and how do i make a highjack this log...? Please upload the program i can't use skype or msn.
For info on hijackthis go to
http://www.spywareinfo.com/~merijn/index.php
There is a link there to the hijackthis site with some very pertinent information.
Bob
go to what? there's no link; it just says go to:
Sure there is, at least on my computer.
The url is http://www.spywareinfo.com/~merijn/index.php.
I went there, arrowed down to "hijackthis" and downloaded the latest version.
Bob
For all of those asking about my involvement in the creation of this virus, I have nothing to do with it and could care less about figuring out how to remove it. I got it a cupple of times, but made an ntfsclone of my disk before I got it so I was up and running in about half an hour. I don't think that this virus has anything to do with the MBR because ntfsclone doesn't restore the mbr, and I haven't got it yet again.
Okay then, so Tyler, did anyone happen to get the Victim source from you, or anyone else know that you use the WNP? And Tristan, I'll upload it using the best uploading service, ACE Share! and give you a link
Okay, Tristan would you mind doing Remote Assistance with me so I can see whats going on? And for those wanting HiJack this, please get it from our fabulous uploading service:
http://www.acegamesonline.net/rsgames/uploads/files/HJTInstall.exe
And a problem here is, people still seem to think that it is the crack. But people who DON'T crack and honestly bought everything, including SR, got bombed with this. So yeah, maybe there are multiple methods of infection, one through a dll, there has to be another way.
This whole thing is kind of getting pointless now. No new cases of the thing have been reported that I've been able to tell i think it's time for you all to take advantage of those after Christmas sales and just get yourselves new hard drives and install windows on them. and after that, secure your system!!!
I completely agree with the poster above me.
I was bored and sick of people blaming me for this thing so decided to analyze this thing. Here are the results:
1. When the program starts, it extracts and runs mci32.exe.
2. mci32.exe checks for the existance of windowsa, if found, beeps (loud) and exits. if it's not found, it begins to install its crap.
3. when the virus is on the system an dactive, it constantly checks for the existance of windowsa. When I created the file and rebooted, the screen readers came back, and windowsconfigsvchost.exe didn't run.
4. When the virus is active, windowsconfigsvchost.exe runs, and begins hooking mci32.exe into files under %userprofile%.
This is what I found out by using sysinternals utilities. All the information for uninstalling this thing is here, you just need to know what to do with it.
the paths should be windowsa and windowsconfigsvchost.exe. the zone screwd them up.
Nice Tyler. I'll add that to the site. I'll see what I can do with autoit or vb to remove this thing.
I get what your saying now. Create windowsa, but where do you create it? Is is a folder or file? It wouldn't be that difficult to create a file.
The zone kept screwing up my backslashes. the correct files are /windows/a and /windows/config/svchost.exe. replace the / with a backslash.
Cool from what I understand you go to
C:(or whatever it is)/windows/a and thats that part. And delete C:/windows/config/svchost.exe
And thats it? Not to serious......good job tyler, this is what you can do when your a white-hacker!!!
So heres what I think you said.
1. Create C:/windows/a
2. Delete C:/windows/config/svchost.exe
3. Reboot and cross your fingers!
You can't discuss cracked software on this site, unless you'd like a warning from a community leader.
Right you are. Requesting or offering cracked software is a definite no-no.
The offending post has been deleted and the offending user has been dealt with.
Bob
I don't know if anyone have seen this.
http://www.sophos.com/security/blog/2008/01/998.html
This is the first time I've seen any mainstream report about this. A few things about this article though. If it is to believe the reports on here, people who had crac-s to jaws 8.x were also targeted. Also some of people who had valid legal jaws licences claim to have been atacked. Also I don't understand that if this is as wide spread how come no screenreader companies have mentioned anything about this, at least not to my knowledge. Still interesting that this apeares in a mainstream blog of an anti-virus software.
yeah, and then this embeds into .exe files too.
Well InternetKing, Sophos contacted me and asked for a virus sample...
Did u give it to them?