Page 3 - Nilpo's Ultimate Windows Troubleshooting and Security Guide

You should never open an email attachment from an unknown sender and definantly never open an attachment with one of the file extensions listed below unless you have specific reason to.

This is a partial list of either executable files or files that can contain executable code:

ADE - Microsoft Access Project Extension
ADP - Microsoft Access Project
BAS - Visual Basic Class Module
BAT - Batch File
CHM - Compiled HTML Help File
CMD - Windows NT Command Script
COM - MS-DOS Application
CPL - Control Panel Extension
CRT - Security Certificate
DLL - Dynamic Link Library
DO* - Word Documents and Templates
EXE - Application
HLP - Windows Help File
HTA - HTML Applications
INF - Setup Information File
INS - Internet Communication Settings
ISP - Internet Communication Settings
JS - JScript File
JSE - JScript Encoded Script File
LNK - Shortcut
MDB - Microsoft Access Application
MDE - Microsoft Access MDE Database
MSC - Microsoft Common Console Document
MSI - Windows Installer Package
MSP - Windows Installer Patch
MST - Visual Test Source File
OCX - ActiveX Objects
PCD - Photo CD Image
PIF - Shortcut to MS-DOS Program
POT - PowerPoint Templates
PPT - PowerPoint Files
REG - Registration Entries
SCR - Screen Saver
SCT - Windows Script Component
SHB - Document Shortcut File
SHS - Shell Scrap Object
SYS - System Config/Driver
URL - Internet Shortcut (Uniform Resource Locator)
VB - VBScript File
VBE - VBScript Encoded Script File
VBS - VBScript Script File
WSC - Windows Script Component
WSF - Windows Script File
WSH - Windows Scripting Host Settings File
XL* - Excel Files and Templates

* Microsoft Office Document formats appear on this list because they can contain dangerous macros that can execute VBA code when they are opened. You should disable macros before opening any Office document received over the internet.

Direct Link: http://guide.nilpo.com/executables

Beginning with the next release of my SysClean script, I will be implmenting version numbers and a history report.

There are many modifications and changes in the works and it's going to be much easier if I begin using standard software release procedures so that script versions can be identified for support purposes.

Also, with the next release I will be offering free support for the script. I will make the website address available when the time comes.

The download location for my Sysclean script has changed. Here is the new link:

SysClean.vbs (7 KB)

So, your AV software has done it's job. It notified you that you were infected and successfully removed the malware.

What next? How can you be sure your system is truly healthy and how can you prevent this from happening again?

Verifying Your System's Health

Windows provides several tools for verifying the integrity of your system files. These tools are designed to ensure that your system is running on original Microsoft files and that they have not been altered.

Windows File Signature Verification Tool
The File Signature Verification tool checks to see which system files and device driver files are digitally signed and displays its findings. If you have enabled logging, the search results are also written to a log file. Run sigverif.exe from the command prompt or Run dialog to start the Signature Verfiication Tool.

System File Checker Tool
The System File Checker tool is used to verify protected system files. Run sfc /scannow from the command prompt or Run dialog to start the tool. more info, additional resource

Windows File Protection
Windows File Protection is a built in feature used to ensure the integrity of your Windows installation. More details on how this system works can be found in this Knowledgebase Article.

Preventing Infections

1. Firewall - Installing and using a good firewall is the first step in preventing problems. A hardware firewall is always best, that's no excuse not to use the software type. Many good routers now have firewalls built-in, read your hardware's manual to see if the features are included and how to configure them. Many good software firewalls can be found in the Useful Freeware Database thread.
2. Windows Update - Use Windows update to make sure that you have the latest hotixes and security patches installed on your system. Visit the Windows Update website or enable Windows Automatic Updates on your PC.
3. Anti-Virus Software - Using a good antivirus software is probably you number 1 defense against viruses. Many free ones are available in the Useful Freeware Database thread listed above. Make sure that the AV software you choose has a real-time scanning feature.

Windows XP Security Checklist

Windows XP Baseline Security Checklists

Direct Link: http://guide.nilpo.com/virusaftermath

Several threats are now using the following registry key to load.

HKLM\Software\Windows NT\CurrentVersion\Winlogon\Notify

Each key under the previous is a separate instance.

Another registry key is now being commonly exploited for unwanted code execution:

HKLM\Software\Microsoft\Windows\CurrentVersion\pol icies\Explorer\run

Here is a list of some great online scanning tools.

AV/Malware Scanners:
Trend Micro - Free online virus Scan
Trend Micro™ Anti-Spyware for the Web
Panda Activescan, the online scan
spyxposer_principal
SpywareInfo Online Spyware Detection
BitDefender Free Online Virus Scan
Free online Trojan Scanner - Scan your system for Trojans
Email Security Testing Zone
eTrust Antivirus Web Scanner
Kaspersky File Scanner
Symantec Security Check
F-Secure Online Virus Scanner
PestPatrol Anti-Spyware Pre-scan
avast! OnLine scanner
BitDefender Online Scanner
Email Anti Virus and Security Testing Zone
eTrust PestScan
ewido online scanner beta
(C)lamAV (O)nline (S)pecimen (S)canner
Panda ActiveScan Free
::::: VirusTotal :::::
IKARUS Software Vienna
ArcaBit > ArcaOnline - Arcabit Online Scanner
Free online Trojan Scanner - Scan your system for Trojans
Dr. Web Online Virus Scanner
Online malware scan
Free Online Spyware Scanner and Remover
Do you have parasites?

Security Tests:
Security Scan - Sygate Online Services (sos)
broadband » Port scan
Stealth And Security Tests For Concerned Internet Users
Firewall Test, Port Scan and Internet Security made easy - Spy Ware, Audit and Tools
Web Security and Penetration Testing
Test for MS Javascript/ActiveX exploits
Network Security Audits / Vulnerability Assessments by SecuritySpace
HACKERWHACKER FIREWALL TESTER, SECURITY NEWS, FREE SECURITY SCAN
Shields UP! — Internet Vulnerability Profiling
PC Flank: Make sure you're protected on all sides.
Free Port Scan - Free Server/Firewall Test - SecurityMetrics
BrowserHawk - Browser capabilities test page
Leader - Holmes Who Test
Rex Swain's HTTP Viewer
Mail relay testing
WinNuke Test Page
4IT Webtracer
Direct Link: http://guide.nilpo.com/avtools

I've added another registry key and updated links.

Cheers.

NTFS5, the native file system used by Windows XP has a very cool feature called EFS, or Encrypted File System. EFS is an invisible file encryption method that is built directly into the file system. This provides an extra layer of protection for keeping your folders private. This guide will explaing what it is and how to use it effectively. Please note that the EFS features have been removed from Windows XP Home Edition. "Removed?" You ask. Yes, removed, as I said earlier EFS is built into NTFS (NT File System), the ability to enable it has been removed from XP Home Edition.

So what operating system have this feature? Any Microsoft operating system 2000 or newer has this feature. However, only the Professional and Server releases have it enabled. So here's the list as it stands at the time of this writing.

Windows 2000 Pro or Server, Windows XP 32-bit Pro, Windows XP 64-bit Pro, and Windows Server 2003. I'm not sure, but I assume the same rule will apply to Windows Vista releases.

So the techies might be asking, "How can they remove EFS if it's native to the file system?" The answer, the Home and Pro versions use different NTFS drivers.

Encrypting a File or Folder with EFS

1. Browse to a file or folder in either My Computer or Explorer, right-click and choose Properties...
2. Click the Advanced... button
3. Put a checkmark in the box that says "Encrypt contents to secure data" and click OK
4. Click OK to close the Properties dialog.
5. If you are changing a folder that already contains files, you will recieve a confirmation dialog. Click OK

The process for removing the EFS attributes is just the opposite the the above. Follow the same procedure and remove the checkmark we just added.

Okay, so now we know how to do it, but how does EFS work? Well, I'm going to be as basic as possible in my approach. I'm not about to begin trying to explain encryption in this single post.

Basically, your computer creates a sort of password hash using your user information and then applies it to an algorithm and encodes your files. In basic english, that means that without being logged on with your user ID and password, the computer literally cannot read the file's contents. You might compare it to trying to read an Arabic newspaper. (That, of course, assuming you can't read Arabic.)

By default EFS uses DESX (56-bit) in Windows 2000 and DESX (128-bit) in Windows XP. Windows XP SP1 and higher use AES (256-bit) by default. Optionally 3DES (168-bit) in Windows XP and Windows 2003 (and Windows 2000 with High Encryption Pack) may be used. All of these algorithms make use of a random cipher key so they present a fairly strong encryption. Your average joe is not going to crack this thing in any reasonable amount of time, especially if you use a strong Windows password. Also note that 3DES complies with Federal Information Processing Standards (FIPS 140-1 Level 1) and is significantly stronger than the default DESX encryption. You have to enable the use of 3DES. I'll show you that later in this article.

Now we have a basic understanding of what it does and how to do it, but is there anything else we should know. Well, yes. Let's suppose you reload Windows and can't log on with the user that originally encrypted the files. (Even recreating a user with the same name will not work.) You won't be able to view the files because your current user won't be able to decrypt them. That's could make for a big nightmare.

Luckily, Windows provides a way for us to backup our EFS information to prevent this from happening. The backup that is created can be used to grant any user (current or future) access to the files by using a created floppy disk. Don't worry, not anyone who finds this floppy disk can use it. The backup procedure will setup the floppy so that it requires a password to use it. (I knew what you were thinking... ).

Without wasting any more time, here's how to create the backup.

Backing Up Your EFS Key - Method 1

1. Click the Start button and choose Run...
2. Type mmc and click OK.
3. On the File menu, choose Add/Remove Snap-in and then click Add.
4. Under Available Standalone Snap-ins, click Certificates, and then click Add.
5. On the Cerificates snap-in dialog, select My user account and then click Finish.
6. Click Close and OK to finish installing the new snap-in.
7. In the left pane of the console window you will see a new heading has been created on the tree display. Click the plus sign next to Certificates - Current User to expand it.
8. Next expand Personal and then expand Certificates.
9. In the right pane, select the entry that says File Recovery in the Intended Use column.
10. Right-click the certificate you just found and point to All Tasks and then click Export to start the Certificate Export Wizard.
11. Click Next.
12. Select Yes, export the private key and click Next.
13. Select Personal Information Exchange - PKCS #12 (.PFX) and also select Enable strong protection and then click Next to continue.
14. Specify a password. (Note: this is the password that will be required to reinstall you backup. Make sure to pick a strong password that you will remember. I recommend choosing a password that is different from your Windows Login password.)
15. Specify a filename and location to save the exported key. I recommend using your Windows Username for the filename and saving it to a removeable storage device such as a floppy disk or USB thumb drive. You may also burn the file to a CD.
16. Verify the settings and then click Finish.

In the future you will not have to add the Certificates snap-in. Instead you will be able to start at step 7.

Backing Up Your EFS Key - Method 2

1. Start Microsoft Internet Explorer.
2. On the Tools menu, click Internet Options.
3. On the Content tab, in the Certificates section, click Certificates.
4. Click the Personal tab.
5. Select one certificate at a time until the Certificate Intended Purposes field shows Encrypting File System. This is the certificate that was generated when you encrypted your first folder.
6. Click Export to start the Certificate Export Wizard, and then click Next.
7. Click Yes, export the private key to export the private key, and then click Next.
8. Click Enable Strong protection, and then click Next.
9. Type your password. (I recommend not using your Windows password.)
10. Specify the path where you want to save the key. You can save the key to a floppy disk, another location on the hard disk, or a CD. If the hard disk fails or is reformatted, the key and the backup will be lost. (If you back up the key to a floppy disk or CD, you must store that disk or CD in a secure location.)
11. Specify the destination, and then click Next.

Windows 2003 user have the option to backup using a button on the Details page under Advanced Properties when encrypting a file.

As I said, Windows XP Pro and higher give the option to use the stronger 3DES algorithm, however, it is not installed by default.

Enabling Advanced Encryption By Using 3DES

1. Click the Start button and choose Run...
2. Type gpedit.msc and click OK to start the Group Policy Editor.
3. In the left pane navigate to Computer Configuration>Windows Settings>Security Settings>Local Policies>Security Options.
4. Open the System Cryptography: Use FIPS compliant algoriths for encryption object. (Note that this settings applies to EFS and IPSec)
5. Select enabled and click OK

Once 3DES is enabled, you will still be able to open files that were encrypted with DESX. So you can enable this option at any time.

Allowing Multiple User Access to Protected Files
You may find that you want to share an encrypted resource. Note that you cannot share an EFS encrypted folder. You must allow access on a per file basis.

1. Right-click the file and choose Properties...
2. Click Advanced and then click Details
3. Click the Add button to allow users.

"But I've disabled share-level acces to my files and allow access only to the users that I want. What good will EFS do me?"

Okay, the permissions here rely on ACL's or Access Control Lists. ACL's are extremely effective, but the problem here is that they are completely useless outside of the Windows environment. In other words, if someone connects your computer (or connects your hard drive to a computer) running a different operating system such as Linux your ACL's don't mean a thing. They'll be browsing through your files like they weren't even there.

"I don't have anything to hide. Why waste my time?"

EFS is just an added bonus feature for the home PC owner. And since it works by itself in the background, it doesn't require any extra effort to use it. Besides, a little extra security never hurt anyone.

You can view this original thread here.

Direct Link: http://guide.nilpo.com/efstut

This is an updated listing of all of my articles published by Developer Shed. I've organized them by site. I've also included release dates and linked current articles.

Subscribe to the Live Feed

New releases appear in orange!

ASP Free

• Working with the Windows Registry in WSH - Windows Scripting (8-29-06)
• Handling Live Web Content in WSH - Part 1 - Windows Scripting (9-6-06)
• Handling Live Web Content in WSH - Part 2 - Windows Scripting (12-19-2006)
• Reading text files in WSH - Windows Scripting (1-23-07)
• Writing text files in WSH - Windows Scripting (1-24-07)
• An Introduction to Files and Folders in WSH - Windows Scripting (2-5-07)
• Advanced Files and Folders in WSH - Windows Scripting (2-12-07)
• Working With Files and Folders in WSH Using WMI - Windows Scripting (unreleased)
• Handling User Input in WSH - Windows Scripting (2-19-07)
• Logging Events in WSH - Windows Scripting (2-26-07)
• Error Trapping and Capturing Third-Party Output in WSH - Windows Scripting (3-5-07)
• An Introduction to Microsoft PowerShell - Windows Scripting (3-12-07)
• Using Includes in VBScript - Windows Scripting (3-27-07)
• SystemScripter 6.02 Review - Windows Scripting (3-28-07)
• Sending Emails Using CDO in WSH - Windows Scripting (4-3-07)
• Building a Mass-Emailer in WSH - Windows Scripting (4-4-07)
• Hacking the Windows XP Start Button Text - BrainDump (4-9-07)
• Changing the Windows XP Start Button Icon - BrainDump (4-10-07)
• Replacing the Windows XP Start Button Background - BrainDump (4-11-07)
• How to Hack Protected Windows XP Files - BrainDump (4-16-07)
• Age-Based File Deletion in WSH - Windows Scripting (4-17-07)
• Writing Portable Scripts in WSH - Windows Scripting (4-18-07)
• User Interaction with Common Dialogs in WSH - Windows Scripting (4-24-07)
• Workarounds for Common Dialogs in WSH - Windows Scripting (4-25-07)
• How to Stop a Virus in Windows - BrainDump (4-30-07)
• How to Remove a Virus in Windows - BrainDump (5-1-07)
• Windows XP Startup Methods - BrainDump (5-2-07)
• Creating a Web Test Environment in Windows - BrainDump (5-7-07)
• Using the Web Test Environment - BrainDump (5-8-07)
• Installing a Joomla! Test Environment in Windows - BrainDump (5-9-07)
• Event Scripting with WMI - Windows Scripting (5-14-07)
• More Event Scripting with WMI - Windows Scripting (5-15-07)
• Introduction to WQL: SQL for WMI - Windows Scripting (5-16-07)
• Parsing Event Logs in WSH - Windows Scripting (5-21-07)
• Advanced Event Log Parsing in WSH - Windows Scripting (5-22-07)
• Event Log Parsing for the WSH Administrator - Windows Scripting (5-23-07)
• Using FTP in WSH - Windows Scripting (8-13-07)
• Easier FTP in WSH - Windows Scripting (9-4-07)
• Basic Data Protection in Windows - Windows Security (11-27-07)
• Advanced Data Protection in Windows - Windows Security (12-04-07)
• Looping Statements in VBScript - BrainDump (12-11-07)
• Working with System Processes in WSH - Windows Scripting (1-15-08)

Dev Hardware

• The Ultimate Troubleshooter v3.62 - Software Reviews (10-16-06)
• A New Spin On Storage - Opinions (11-15-06)
• The Future of Hardware and Technology - Opinions (11-28-06)
• Solving Common Networking Problems - Opinions (11-20-06)
• The World Browser Championship, Round 2 - Software (11-1-06)
• CyberLink DVD Suite Pro v5 - Software Reviews (On Hold)
• SteelSound 3H Gaming Headset Review - Peripherals (1-10-07)
• Bluetake BT007SX EDR Bluetooth USB Adapter - Networking Hardware (2-20-07)

Dev Shed

• How To Set Up Podcasting and Vodcasting - XML (3-12-07)
• Standards-compliant Link Targets with Wordpress - PHP (12-19-07)
• MySQL Table Prefix Changer Tool in PHP - MySQL (1-2-08)

Dev Articles

• A New Toolbar Can Boost Your Web Site Traffic Dramatically - Embedded Tools (1-10-07)
• Simple Web Syndication with RSS 2.0 - XML (1-24-07)

Web Hosters

• Hosting Companies Sport Unconventional Marketing Techniques - Web Hosting News (11-8-06)

Subscribe to the Live Feed

Direct Link: http://guide.nilpo.com/articles

Real World Scripting focuses on scripting to solve real world problems or perform specific real world tasks.

Complete Scripting shows methods of giving your script that "little extra". These are advanced techniques designed to add functionality to a script or to improve performance.

Basic Scripting Articles:

• Introduction to WSH
• Choosing the Right WSH Engine (choosing which scripting language to use)
• WSH, The Silent Administrator (describes the advantages of using WSH for system/network administrators with ideas for use and examples)
• Determining Your WSH Script's Requirements (determining script dependencies and what versions of Windows your script is compatible with)
• PowerShell: Bringing Shell Access to Windows (an overview of the new PowerShell and a sort of "Getting Started" crash-course)
• Constructing Regular Expressions in VBS

Real World Scripting Series:

• Live System Analysis in WSH – Part 1
• Live System Analysis in WSH – Part 2
• Parsing Event Logs in WSH
• WSH for the Network Administrator
• Creating the Perfect Logon Script in WSH
• Using WSH as a Backup Scheme
• System Inventory in WSH
• WSH for System Rollout and Deployment
• The Advantage of using WSH as a System Task
• Techniques for Automation
• The Advantages of Converting Batch to WSH

Complete Scripting Series:

• Distributing Your WSH Script
• Connecting to Databases in WSH
• Giving WSH a User Interface
• User Interaction with Common Dialogs
• Error-Handling in WSH
• Harnessing the Power of the Command Line in WSH
• Cross-Platform Compatibility (Environmental Variables, Special Folders)
• Scripting for the Masses: Packaging and Distribution

WSH Scripting Basics Series:

• Handling Live Web Content in WSH – Part 1 (XMLHttpRequest)
• Handling Live Web Content in WSH – Part 2 (XMLHttpRequest)
• Working with the Windows Registry in WSH
• Working with Text Files in WSH PART 1: Basics
• Working with Text Files in WSH PART 2: Arrays and Filtering
• Working with Text Files in WSH PART 3: ADO
• Working with Files and Folders in WSH PART 1: The FileSystemObject (file actions, permissions, attributes, encrypting/decrypting)
• Working with Files and Folders in WSH PART 2: ADO
• Handling User Input in WSH
• Logging and Capturing Third-Party Output
• Implementing WMI in WSH
• Working with Users and Groups in WSH
• Sending Emails with WSH (CDO)
• Converting Batch Files to WSH
• Extending WSH with other engines (Python)
• Finding the Right Objects for WSH

PowerShell Scripting Basics Series:

• Converting VBScript to PowerShell

Web Design/Server Administration:

• Handling Redirects and Subdomains in Apache
• Simple Web Syndication with RSS 2.0 Feeds
• Standardizing Web Syndication with Atom 1.0
• How To Set Up Your Own Podcast Syndication

Other Topics:

• Proper Compliance and Network Cable Installations

Direct Link: http://guide.nilpo.com/topics

Guys, I've got a lot of articles going live across the Dev sites. Check the posts above to see what's coming up. If there's a topic you're particularly interested in, feel free to leave me suggestions.

I added a live RSS feed for my articles. Now you never have to miss one!

Subscribe to the Live Feed

I'm back in action writing for ASP Free again. Check out the new article that went live today.

I've made it easier to link to and find this guide by creating a pointer from my web site.

http://guide.nilpo.com will redirect directly to this thread.