Shortly before I was on the hard disk to the trash to throw I downloaded and showed zero assumption recovery. To my surprise, was inaccessible in my hard disk access. Aaron WeinerMany thank you for using the zero recovery tool image of Asunción, who had lost all pictures of my newborn daughter and tried, once again the last 2 days. The program is easy, fast and very effective. Ben Frater. .Manchmal delivers the disaster. For various reasons, you may lose data. Formatting, accidental overvoltage, virus attacks and faulty hardware are just some of the scenarios where you are looking for a data recovery solution.Zero assumption recovery provides a suite of very complete data recovery for the software Microsoft Windows operating system. We are proud of, that distinguish our crowd-have created the same data recovery software is much more than many other solutions on the market permanently. Although the hard disk through the data recovery results TSAR redemption belief in their entirety-and finally the result achieved.ZAR data recovery is suitable for individuals and small businesses need a powerful data recovery solution for Windows file systems FAT, NTFS, Linux Ext/2/3/4 and XFS. The default configuration is complete and reliable, but more technical users can take advantage of the optional parameters. High resource analysis in this section of the file indicates that contains an encrypted payload with a built-in decryption program. We show you how malicious software if active once they have successfully infected file user32.dll PatchedThe code. EntryPoint in the access point is a User32 infected with a jump, AlignRects, stained, as shown below: original: UserClientDllInitialize: 7e41b217 8B FF Mov Edi, EDI 7e41b219 55 push EBP mov EBP 7e41b21a 8B EC, esp 7e41b21c 7 0 C 01 83 CMP [EBP + 0xC] 7e41b220 75 05 1 called, 5 00 00 07 Jnz 0x7e41b227 7e41b222 0x7e41b984 5 d E8 7e41b227 pop EBP 7e41b228 90 7e41b229 90 NOP NOP NOP 7e41b22b 90 7e41b22a 90 7e41b22c 90 NOP NOP 7e41b22d 8B FF 55 Mov Edi, EDI push EBP 7e41b22f 7e41b230 8B EC mov EBP, EspPatched: UserClientDllInitialize: 7e41b217 8B FF Mov Edi, EDI 7e41b219 55 push EBP mov EBP 7e41b21a 8B EC, esp 7e41b21c 7 0 C 01 83 CMP [EBP + 0xC]1 7e41b220 75 7e41b222, Jnz 0x7e41b230 E8 0A 00 00 00 0x7e41b227 7e41b227 83 00 04 22 24 05 00 0 [esp], 7e41b22b 0xa E9 B0 JMP AlignRects call Add _ _ _ 7e41b230 8B EC mov EBP, EspThe in AlignRects code is not the original, but is replaced by code that allocates a new memory block executable. Under the payload encrypted copy just Memory allocated resource. AlignRects: 7e46d4e0 7e46d4e1 Pusha 7e46d4e2 left ebp7e46d4e3 mov EBP, grow esp7e46d4e5 sub esp, 87e46d4e8 mov eax, [EBP + 0x4C]; EAX is the base address of the eax7e46d4ed method by adding user32. dll (7E410000) 7e46d4eb mov ECX, EAX 0x13bc7e46d4f2 mov eax, [EAX]; It applies to EAX; NtQueryVirtualMemory7e46d4f4 add EAX, 0xfffff5f0; It applies to EAX; Push Push 0x407e46d4fb 0x30007e46d500 NtAllocateVirtualMemory7e46d4f9 Lea Ecx, 07e46d515 push ecx7e46d516 push 0xff7e46d518 called EAX, [EBP-4 x 0] mov [ECX], push push ecx7e46d50a 0xc5767e46d509 7e46d503 's 07e46d50c Lea Ecx, [EBP] 7e46d50f mov [ECX]; Called NtAllocateVirtualMemory7e46d51a mov Edi, [EBP called]; EDI assigned = address7e46d51d mov eax, edi7e46d51f mov ESI, [EBP + 0x4C]; ESI = address database; User32. dll (7E410000) 7e46d522 Add ESI, 0x8d200; ESI = address encrypted payload; section7e46d528 mov ECX, resources 0x98bb7e46d52d Rep Movs is: [IDE], ds: [ESI]; Copy assigned; range7e46d52f (executable) leaves 7e46d530 add EAX, 0x981e; EAX = code7e46d535 decoding meaning JMP EAX; Begin to decipher.A block of executable memory is reserved by this code. To do this, the direction of the NtAllocateVirtualMemory with the address of NtQueryVirtualMemory, which derives from The user32.dll IAT encrypted is copied into memory is allocated just calculated. This encrypted payload contains a small piece of code-cracking, located near the end of the encrypted payload. This decryption code is shown below: 0: 000 > Reax = 0029981e EBX = 7e41b217 ECX = 00000000 EDX = 7c90e514 ESI = 7e4a6abb EDI = 002998bbeip = 0029981e esp = 0007f9d4 EBP = 0007fa10 Iopl = 0 nv EI pl NZ na PE = centres fakes 001 b ss = 0023 ds = 0023 = 0023 fs = 003 b gs = 0000 EFL = 0029982300299823 > 000002060: 000 u called l200029981e pop EDX, EDX = EAX's current position. Sub EDX 7FFA2F22h0029982a push esi0029982b 00299824 read Esi [EDX + 7FFA2F1Dh] ESI = reported to mem-base (290000) 00299831 mov ECX, ECX 981Eh size = (num b) sub ESI, ecx00299838 push esi00299839 00299836 mov EBX, 6FAAEh decrypt the key XOR 0029983e bytes (then only, BL) XOR PTR [ESI], BL byte00299840 esi00299841 decipher Inc. Byte XOR EBX Inc key changes every byte (+ 1) 00299842 0029983e00299844 eax00299845 pop pop cycle ecx00299846 mov DWORD PTR [EAX + 12.00] ecx00299849 JMP EAX jumps from mem assigned, which now is decoded.Load applications that decode a XOR decoding based on XOR value for every byte to decrypt, is incremented after each operation.Once all bytes of memory allocated decrypted range, is now simple code. Note the first two statements of this decoding code, which uses a combination of call/pop to retrieve the current address.This makes the code decrypted independent of location. The ' fixed ' this code are values that can automate the encrypted and burden the XOR key size so easily reached static detection and prevent decryption mechanism. ). You should therefore not all computer hardware specifications of the victim, ’ s, suppose (hypothetically) that 1/4 of these infected machines have NVIDIA graphics card to the address above. It also assumes that minors were noticed by virus scanners or the user, these BITNET 25,000 computers (1/4 of 4% of the 2.5 million) would generate about BTC or 5.5. This malware can steal usernames and passwords, blocking Web sites and launch denial of service (DoS) attacks. The malware is also often used for the transport of other malware.The most interesting feature of this malware, in my opinion, is to create a process called cable to hide its presence. In this case, and the abuse of a legitima Windows Calculator (calc.exe) of the process and is a substitute for the memory of the original content with malicious code. For the operating system and the user, which seems to work the original calc.exe, while in reality, the process of calc.exe became dorkbot. This process of Windows Welcome is now unusual, such as HTTP and DNS acquisition capability. ,,.