Utilities, Tips & Tricks about Windows Security

[TurcoLoco]

================================================== ========================================
>>> Feel free to use any of the packages below but for the most current version of HijackThis, please visit TrendMicro.
================================================== ========================================


HJT1.99_XP and HJT2.0_XP installs to 'Program Files' folder which is a more conventional installation location for those who prefer it, other than that they are essentially the same as the previous versions.

[TurcoLoco]

Important note: I included registry locations in some of the screenshots but this doesn't mean registry editor needs to or should be used to do any of the mentioned steps.
I included them in the screenshots merely as a reference for those who are tech savvy and would be interested.


A. DOWNLOADING CCLEANER
- Visit the developer's home page to find out the latest version and select one of the available download locations to start your download.
- If using Internet Explorer, upon clicking "Start Download", IE security feature will require you to click on the top blue bar to show the "Download File.." option.
- click on Download File... option to initiate the download pop-up where I advise you to select Save to save the file to somewhere on your computer (such as Your desktop):



B . INSTALLING CCLEANER

- When download completes, double-click on it to start the installation.
- On the Install Options screen, clear the boxes next to the options you do not want to install then click Install:


- Complete the installation by clicking on Finish button.
Default installation (on all Windows systems) is "C:\Program Files\CCleaner" regardless of Windows version being 32-bit or 64-bit.
On 32-bit Windows systems, you will only see CCleaner.exe in the installation folder. 64-bit systems will have CCleaner.exe as well as CCleaner64.exe.
Regardless of which you double-click on CCleaner64.exe is the one that will launch.

Technically, for English speaking users, the only file needed is/are the executable(s) file so if you wanted to the program on a portable drive or Flash drive, only the executable(s) would be what you need.
If you take a look at the list of useful standalone programs on my small USB flash drive, you would understand what I mean:


C. SYSTEM (Temp/Junk File) CLEANER
As soon as CCleaner launches, the first thing you will see is the following pop-up:

Which one you choose depends on whether this is a private computer that only you use and you would like the settings, user names, etc. for the sites you frequently visit, kept for future access or not.
Cookies can be a good thing for sites you trust, use and visit often. They can make it much easier to log in to the sites that require a user name and password yet retain very basic information about you such as online forums. If something like that is applicable then click Yes. If you are on a shared computer or you do not want to leave any traces about your web surfing then click No.

One of the neat features of CCleaner that most other similar programs seem to lack is the "Analyze" feature which lets you see what would be deleted and how much space would be freed up, if you were to actually run it.
For diagnostic purposes, it is a valuable feature to have but also for those who are not sure what would be deleted based on their selections, I would suggest using this feature to prevent unpleasant surprises.

- Default Cleaner Settings - The list on the Applications tab could naturally be different based on what software you have installed on that particular computer:


- To check all the boxes under a certain section, simply double-click on the icon next to the title of that section:


- For those who are using a shared or work PC and having privacy concerns and/or having various system/application issues and/or suspecting malware (Spyware, Adware, etc.) then checking all options on both pages would be best:


- If you check any of the advanced options such as the ones in the System section, you will be receive a warning for each selected box letting the user know what the outcome would be:


- For everyday use, the following configuration works for me but customize it to your needs. My settings might be too aggressive for your needs.
For example: If you access recently opened files (Word, Excel, Pictures, etc.) frequently, then do not check "Recent Documents" option in the Windows Explorer section.
Also on the Applications tab, under the "Applications" tab, do not check any of the "Office 20xx" options as these would delete recently opened Office documents from the program's cache.
What does that mean? To elaborate, when you open Word application, if you click on File and select Open, normally it'd show you a list of recent Word documents you accessed. If you check the related options, that list will be emptied out (but of course the documents themselves would not be deleted). So you can say the recent list is more like a web browser history that helps you locate and open them easier and quicker.



D. REGISTRY CLEANER
The registry cleaner included with CCleaner has gotten a lot better over the years.
I still prefer using AUSLogics Registry Cleaner on Windows 7 systems and RegScrubXP on Windows XP systems mainly due to having years of very positive experience using both applications.
Of course, this is not to say CCleaner's Registry Cleaner is not a solid program because it is but regardless of which application you use, if you must use one, make sure to backup your registry.
All these free applications come with a backup functionality, still, It would be wise to have a full backup just in case. For that, the freeware I recommend is Erunt.

Using CCleaner's Registry Cleaner is fairly simple:
- Click Scan for Issues
- All issues found will be selected by default, if needed, you can deselect any of the entries to exclude them from deletion
- Click Fix selected issues..
- The program will automatically give you a pop-up window with a brief description of the first issue to be fixed and what the solution would be (typically deleting it)
- If you want all issues fixed automatically without further interaction, then click on Fix All Selected Issues
- If Show prompt to backup registry issues box was selected in the Advanced Options section then the program will pop-up asking you if you want to backup the registry keys before they are modified/deleted.
- I strongly urge you to let CCleaner backup the registry for any and all registry fixes it will be applying

Here is an overview of the registry cleaning process:



E. TOOLS: UNINSTALL
Another handy feature of the program. Even though you can use Add-Remove Programs (XP & earlier) aka Programs and Features (Win7) applets to uninstall any installed application, this utility gives you additional options.
You can use "Rename Entry" option to change the name of any entry on the list but more importantly, if an entry is indeed invalid (you know for a fact that it was already uninstalled or manually removed) or, running the uninstaller give you an error as seen in the screenshot below, then it is time to use "Delete Entry" option to get rid of it:

In my example I used AnalogX SayIt application by manually moving the program folder to my desktop to mimic an application that was uninstalled or manually deleted which caused an invalid registry entry to remain.

If you are not sure, I'd suggest start by browsing to the installation directory of the application to see if it is there or not:


If the application folder in question is indeed missing, then deleting the related invalid registry entry makes sense.

Remember Uninstall panel simply reads the information they get from the related registry keys, they do not check your system to see if the application or its files really there or not (you will have to do the leg work).
When you click on Run Uninstaller button, the program launches that application's uninstall program registered (listed) in its related registry key (see UninstallString line on the right hand side in the screenshot below)


2 other excellent and free uninstallers, I use and like, are: Revo Uninstaller (free version) and MyUninstaller from Nirsoft. Another excellent one is called Absolute Uninstaller.
When you uninstall an application using Revo Uninstaller, it actually has various degrees of registry and filesystem scanning capability to detect and remove leftover registry and application files/folders.


E. TOOLS: STARTUP
As the name implies, this function displays the entries in the two most common registry startup locations under the Windows tab:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
and
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Run



- Internet Explorer tab displays the IE based add-ons (No Firefox stuff) same as managing them within Internet Explorer's Internet Options screen (Start > Run > inetcpl.cpl ,5 > OK > Click Manage Add-ons):



- Scheduled Tasks tab displays the system, application and user based tasks which you could also manage using Windows Task Scheduler:


Save to text file..: It captures the entries in the foreground tab and copies it to clipboard then creates a text file at the end. Again, it only captures the entries (if any) on whichever tab you are viewing.
So, if you are looking at the Internet Explorer tab, it will not capture the entries listed on Windows and Schedules Tasks tabs.
To save each and every tab, you will have to separately clicking on each tab and then the "Save to text file.." button (or you could right-click on any of the entries on the list).


F. TOOLS: SYSTEM RESTORE
A much easier way to manage Windows System Restore Points with the Remove option:


As expected, when an older restore point is selected and remove button is clicked, the user will be prompted with a confirmation pop-up.
Also, the latest (most recent) restore point cannot be deleted as shown above, the Remove button for the latest retore point will be greyed out.



OPTIONS: ADVANCED
If I am running CCleaner for the first time on a system, the first thing I do is to open the Advanced options panel to customize the program.
To do a full cleaning, the options I select on this section look similar to the ones on the 3rd screenshot down (with 2 red highlighted boxes).

- To get rid of this warning message, you will need to check the option "Hide Warning Messages" under Options > Advanced:


- The above screenshot shows the default settings of the Advanced section, the following shows my customized version which is suitable for every day use:


- For systems having issues or suspecting malware infection then I'd recommend selecting/deselecting these options:





...to be continued soon!







~TL

[TurcoLoco]

The following 2 freeware utilities are my favorite to monitoring & manage programs and processes located at various startup points on a system:

Autoruns scans other areas and has the option to save its findings as a text file or its own ARN format which can be used later own for comparison to current listing.

StartupControlPanel has a user friendly interface and also a nice feature which moves all deleted entries to its 'Deleted' section providing a way to easily restore them later on.

It is best not to delete the entries under the 'Deleted' tab as this would permanently remove them, so be absolutely certain the related entries are and will never be needed.

AUTORUNS
I typically check the 'Hide Windows Entries' option, then click on the Refresh button to have the program rescan and hide the common Windows entries. Why should you do this?
2 reasons;
- By excluding Windows entries, you exclude system critical entries that you might accidentally delete or disable and cause serious issues.
- Secondly, once the Windows entries are excluded, the list becomes much shorter, making it easier to scan and spot the 3rd party entries, missing/invalid entries, and those that might belong to a malicious software.

Note: One caveat to excluding the Windows entries that I can think of is the exclusion of "Kernel Fault Check" type startup entries from not showing up on the list. These typically are Scandisk calls due to unexpected shutdowns or Blue Screen of Deaths.
If the system booted up and running fine, it would be better to delete these entries so once in a while you might want to uncheck "Hide Windows Entries" option.


Most users, if needed, should only modify the top sections where the section path refers to either 'HKLM\..\...\Run' or 'HKCU\..\...\Run' the locations in the registry.
For the rest of the listing, please ask the advice of a knowledgeable person or at least use the 'Search Online' feature to conduct an online search by right-clicking on the currently highlighted entry. This action will automatically open the default Internet browser and conduct an online search:


If you'd like to verify the application signatures you can do so by checking the option 'Verify Code Signatures' under Options and pressing F5 to refresh the list (scans with this options takes longer!):


To save the Autoruns scan results to a log file, from the file menu on top:
1. Click File
2. Click Save...
3. Pick a location where you would be able to find it easily
4. Select the 'Save as type' as either 'Autoruns Data (*.arn)' or 'Text (.txt)'
5. Type in a File name (usually Autoruns followed by the current date is a good idea. Example: "Autoruns July 10.txt" or "Autoruns 05.18.2009.arn")
6. Click Save

If you choose 'Text (.txt) under 'Save as type' then the log file will be in plain text format. This is the suitable format for attaching to e-mails or online forums.


The other format is Autoruns Data (.arn) which is suitable to take a snapshot of the settings and store it for later on.
If you save the log file as 'Autoruns Data' file, you will be able to use the 'Compare' feature which compares the changes from the snapshot with the current entries.
Compare function only displays the entries (with a green background) that were disabled before but now enabled or vice versa.
It will not, however, show any differences that references entries that were deleted after the snapshot was taken:


When you open a previously saved log file with ARN extension, it will display the log file as a snapshot as it was saved but once you hit F5 (Refresh) it will do a new scan and override it with the new scan results. Same thing goes when using the 'Compare' feature. Looking up a previously saved log file with .arn extention will not help you restore any deleted entries but at least you will know what is missing or changed which could be very helpful diagnosing problem with various different system issues as well as Malware related infections so I strongly recommend everyone to create a snapshot of their system after a fresh install or before they are about to commit major changes, updates, installations, etc.

TIP: To find an entry based on a key word could be helpful, click on the toolbar icon next to 'Refresh' button that looks like binoculars.

WARNING: Much like most Registry Cleaners, Autoruns checks the file system to see if the path given for a specific file in the registry is valid or not.
If the path for a specific file points to an invalid location, Autoruns will display that entry as 'File not found'.
It doesn't have any sophisticated search & locate function to know if the file was moved or renamed. Even though this will ever be an issue, if you have doubts, please check to make sure the file is indeed not present on the system.


Even a fresh install of Windows XP has multiple 'File not found' entries which can be deleted:

Generally, improperly uninstalled applications, accidentally deleted registered components/device drivers/operating system files and/or after using malware cleanup tools on an infected system could result in having 'File not found' entries.


NOTE: Autoruns stores the disabled entries at:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled




STARTUPCONTROLPANEL
There are 7 tabs of which 6 are functional and for the most part only 5 are normally used.

1) Startup (user) refers to the shortcuts placed in the C:\Documents and Settings\username\Start Menu\Programs\Startup path. Normally, startup entries appear here due to a program option that the user selected.

2) Startup (common) refers to the shortcuts placed in the C:\Documents and Settings\All Users\Start Menu\Programs\Startup path. The startup entries that appear here are commonly placed by the program in question during its installation.

3) HKLM / Run refers to the Local Machine run entries located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run path. The startup entries that appear here are commonly placed by the program in question during its installation.

4) HKCU / Run refers to the Current User run entries located at HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run path. Normally, startup entries appear here due to a program option that the user selected.

5) Run Once refers to the Local Machine run entries located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce path. Generally, an entry will appear here if a program needed an extra step to complete its uninstallation or another one-time process that couldn't be done without a system restart.
Examples of such entries:
Spybot failed to delete all selected infection related entries for whatever reasons, it might prompt the user to see if the process to be run on next bootup so it could be completed.
You connected remotely to another PC using Netmeeting, the program will place an entry to remove cached application files/settings on next boot up. You uninstalled a program (legit or malware) and it prompted that certain files would be removed on next startup. If the related program is an identified spyware type application be careful! Some of these pesky apps could place a startup entry here that could re-initiate the programs installation or launch some other apps, pop-ups, etc.

If you are ever in doubt about a startup entry, always start with disabling (clearing the box next to it) the entry first!
Once you confirm that it is something malware related or something you no longer need/want, then you could delete it. StartupControlPanel allows recovering previously deleted startup entries so it is very safe compared to Autoruns. I urge novice users to use StartupControlPanel instead of Autoruns unless otherwise instructed by an expert.

Unlike Autoruns, StartupControlPanel also creates a 'Deleted' location where it saves deleted entries which can be recovered later on (if needed), much like Windows Recycle Bin.

To recover a deleted entry from the 'Deleted' section in SCPL:
1. Click 'Deleted' tab
2. Right-click on the entry to be recovered
3. Move cursor over to 'Send to' option then select the desired location to move the entry



Another really cool feature of SCPL is the ability to run any of the listed startup entries even if they are disabled or deleted:
To run any of the listed entries simply right-click on it and click 'Run Now':


SCPL stores the disabled entries at:
HKEY_CURRENT_USER\Software\mlin\StartupCPL\Disabled



and the deleted entries at:
HKEY_CURRENT_USER\Software\mlin\StartupCPL\Deleted





Final Note: Use only one of these utilities to prevent confusion and mistakes.. First disable an entry to see if it is something that effects your daily computing or not. If it made no difference or overall system appeared to be running faster, then delete that entry. For everyday use, SCPL is definitely an easier, more practical and safer tool to use. After installing a program, use SCPL to see if it created any related startup entries without informing you or not. One strength Autoruns has is that it also displays Windows tasks. I am seeing more and more legit programs create startup tasks that are not critical and typically slow down the bootup/login times.


~TL

[TurcoLoco]

~ POST UNDER CONSTRUCTION...WILL BE UPDATED SOON!


One of the most popular spyware scanners, also, imho, one of the decent ones. Spybot S&D has a lot of features that most people either do not know about or do not bother to use but I urge you to get to know the program a bit more because there are some really neat and useful functions hidden under its menus.

Here is the process that I'd suggest that you follow with each standard installation:

1. Download the program if it is not locally stored, then install it.
2. Launch the program, at the main menu, click 'Search for Updates' button to initiate the program's internal update process.
3. If any updates are available, right-click on any one of them and click 'Select All'.
4. Pick a download location that is close to You for faster download, then start the update process.


*5. Once done, close out of the program and visit Spybot's home page and download the latest definition update file and install it. This allows the 'Ignored Products' to be listed under Advanced Mode > Settings screen which otherwise might not be visible by running the automated update process alone.


6. After the manually update, Click on Mode and select Advanced Mode. Click Yes at the confirmation screen.


7. Click Settings, then Ignored Products option and scan through the 'All Products' list to make sure there are no boxes (products) are selected, uncheck the ones found. As of this writing a total of 3 entries (2 C-Dilla and 1 SideStep) should be checked on the list. Uncheck if you find any others as well.


8. Under Tools section, click Resident option and make sure to activate (check) the 'Resident SD Helper' option which is very similar to SpywareBlaster's malicious ActiveX blocking feature.


9. Under the Spybot-S&D section on the side bar, click on Immunize button to create a preventative layer against spyware.

Also view the ActiveX, BHOs, Hosts File and Winsock LSPs sections as these location could display malware related entries when a system gets infected.
Identified malware related entries will normally be marked with a Red X and known or presumably legit entries would have a green checkmark. Since unknown entries could be tagged with a green checkmark, I suggest you examine each entry very careful in the event of an infection.

Default Hosts File would only have 'locahost' entry with an IP of 127.0.0.1 which is a software based IP address that is used to dignose the installed TCP/IP protocol(s) to see if they are functioning properly.

Winsock LSPs, if damaged by an infection could break network connection altogether.


Final Note: It'd be worth creating a report file by using the Tools > View Report feature.
If an infection takes place, comparing the report logs of the before infection and after infection could help you spot malware entries that spyware scanners might have missed.

~TL

[TurcoLoco]

When it is time to get a 2nd opinion on a file that might be infected, visit www.virustotal.com (imo, it's worth adding it to your favorites)

This awesome site uses over 30 different well-known scanners to analyze the submitted file.

Step 1: Submit the file in question by clicking on Browse button to locate the file and select it.

Step 2: Click Send button to have the file uploaded and queued for processing.

Step 3: Wait for scanning to complete; STATUS should read COMPLETED

[TurcoLoco]

This page covers pretty much all launch aka startup points in all versions of Windows Operating System:

http://www.silentrunners.org/sr_launchpoints.html

Important: This info is more for advanced users so if you are not sure, please get an expert's help before modifying these settings in the registry!
Also, it is always wise to make a backup of the registry before you make any kind of changes to the registry.

[TurcoLoco]

List of Internet Parental Control Utilities (free to my best knowledge):

Naomi:
http://www.radiance.m6.net/oldindex.html

OpenDNS Parental Controls:
http://www.opendns.com/homenetwork/solutions/parental/

File Sharing Sentinel:
http://www.akidthaine.com/

Safe Families Parental Control:
http://www.safefamilies.org/download.php

K9 Web Protection:
http://www1.k9webprotection.com/

B Gone Parental Control:
http://support.it-mate.co.uk/?mode=Products&p=bgone


Note: If any of the freebies ever become commercial products then check for their last free version here.


Enjoy!

[TurcoLoco]

Here is a script that a co-worker created which I slightly modified. Basically, the script works very similar to MVPS Host File patching here.

The script is compatible with Windows XP, Vista and 7.

To patch your HOSTS file which is arguably one of the most effective ways to block known bad sites (domains) from even opening in your browser (of any kind):
1- Download the attached MDBL.zip to anywhere on your PC, desktop would be fine.
2- Extract the file contents.
3- To patch the Host file, double-click on MDBL.bat
4- Script will automatically execute to following steps:
- Connect to www.malwaredomainlist.com and download the latest list of known bad domains
- Make a backup copy of your existing Hosts file if one didn't already exist
- Add the list to the Hosts file (so when anyone attempts to open any of sites on the list, the browser will display something like "Page not found")
- Run the nbtstat -R command to purge and reload the remote cache name table so a reboot of the computer would not be needed



Click HERE if you'd like to see the screenshot in full size.


Note: If for any reason, you need to restore your original Hosts file, double-click on Undo.bat which instantly and quietly reverts the changes.

~TL

[TurcoLoco]

Here is how I do it:

- NoScript >>> A Must-Have! This add-on alone eliminates majority of the threat before you even encounter them.
- WOT (Web of Trust) or BrowserDefender (both work with FF and IE) >>> Another Must-Have! Great on spotting phishing sites, links in search results and even links embedded in e-mails when using Yahoo, Google, etc.
- Adblock Plus >>> A Should-Have! Strongly recommended. Useful in eliminating distracting ads plastered all over web pages and then some.
- Flashblock >>> More convenience than security, still useful in eliminating annoying flash animation and videos.

Here is a screenshot of the Firefox Add-ons I typically use:


Red boxes indicate must-have security add-ons, the ones in blue boxes are recommended but not a necessity by any means.

The top 2 are definite must-haves for Firefox users and either WOT or BrowserDefender for Internet Explorer users imho.

Additionally, for all users Spybot Search and Destroy's SD Helper feature is a really good thing to have on.
First the "Advanced Mode" needs to be turned on then it can be seen under Tools > Resident section:

It simply created a new CLSID (apartment thread) in the registry which functions as a typical BHO (Browser Helper Object):


Also Spybot S&D's Immunize feature or SpywareBlaster is very effective protection against known bad sites and malicious ActiveX content. It is even possible to have both. Both of them modifies Hosts file along with adding known bad domains to "Zones" section in the registry.

And my final recommendation would be to insert the list of known malware sites into the Hosts file for the most practical and effective prevention.
A co-worker created a script which connects to MDL and gets the most updated list of bad domains and adds them to the Hosts file after it makes a backup copy of it for un-doing the changes for any reason.
To get more info and download this script, please see the adjacent post.

~TL


PS. The purpose of this post is to share a few pointers on how to make your browser and browsing safer, more secure.
Everyone should have a reputable virus scanner installed and equally important thing is, it should be kept up-to-date!