Windows virus removal and information security blog

Miscellaneous fixes for Windows 7 after cleaning a malware or virus infection

2011-07-30T15:31:00.003+05:30

This post contains various fixes to restore default functionality of the services and other programs in Windows 7 after removal of infections

Sometimes after removal of malware or virus infection, the security center service might get disabled. If we try to start the service it gives an error "Error 1058: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.". This usually happens because of two reasons

1. The Service is Disabled.
2. The Service has a corrupted or incorrect registry setting.

We can resolve this in three ways

1. Check the necessary service through Services.msc by typing this through the "Start Search Option" and selecting it. Look for the Service needed to be Started. In your case this should be Security Center. The Status should be "Started" and Startup Type should be "Automatic (Delayed Start)".

2. Go to Start-> type cmd in Search-> right click on cmd-> select run as administrator->we will have command prompt running under administrator privileges-> Type sfc /scannow at the prompt and press enter.Wait for it to finish then restart.

3. Download and apply this REG fix which reinstates the missing Security Center service:

If Remote Procedure Call (RPC) service is not starting or missing from services tab please use these fixes

If Windows installer service is missing please use this fix

Windows 7 installer fix

If we get Error 1719 Windows Installer Service Could Not be Accessed, when installing applications. Please use this fix

Windows 7 installer fix

For Windows 7 file association fixes visit this link
For Vista file association fixes visit this link

If we accidentally falsely associate .lnk files or shortcuts with some other application in Vista or windows 7 Use this utility to unassociate the filetypes

If a virus or malware hides all files and folders in vista or windows 7 use this command to unhide the files and folders

Open command prompt as administrator and type this command attrib - s -h -r /s /d after this is done (please hide the system files back if it is root drive).

Sometimes after malware infection the start menu program shortcuts are deleted to user's temporary folder hence before deleting the temporary folder contents, please search for *.lnk in temporary folder and restore the .lnk files back to start menu programs folder.

Internet explorer DLL registration batch file scripts for

open in new tab/window not working
Find on this page "empty"
tabs on Favorites pane missing
about screen and other dialogs "empty"
IE8 closes immediately (not if caused by an add-on!)
can't print (interface not registered)

Please visit:

Windows update gives an error 80072EFD in Windows Vista and error 8024402C in Windows 7

2010-04-17T04:06:00.002+05:30

You may sometimes receive an error "Windows could not search for new updates" with an error code 80072EFD in Windows vista or error code 8024402C in Windows 7 while checking for windows updates.

You may experience temporary internet connection loss when you try to use windows update on an office laptop over a direct internet connection at home. This might be due to configuration of proxy in internet explorer or if internet connection is working in internet explorer but you still receive error 80072EFD in Windows vista and 8024402C in Windows 7. This might be caused due to an independent proxy configured for windows update in Vista and Windows 7 which is not dependent on internet explorer proxy.

To fix the error 80072EFD, we need to disable the proxy for windows update using command prompt.

Click on start and type cmd. Right click on cmd and click on Run as administrator.

Type netsh winhttp show proxy.
if there is a proxy configured type netsh winhttp reset proxy.

It will say direct access, now you have direct access for windows update without a proxy.

Also there is a KB article from Microsoft for windows update proxy issue.
http://support.microsoft.com/kb/836941

Double click on drive in My Computer opens Search or shows Open With in Windows XP

2010-01-28T20:55:00.003+05:30

Sometimes double clicking on drive shows "open with" window as shown in the image

To fix this issue:

Go to Start menu | Run
Type Regedit

Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 as shown in the image

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{30bd6510-e969-11de-a5e9-806d6172696f}

Delete {30bd6510-e969-11de-a5e9-806d6172696f} in the above key.

Delete all keys that start with {.........} with + sign beside them (CLSID values) under Mountpoints2.

Search Window opens when you double click on a drive

Sometimes double clicking on a drive in My Computer opens "Search" Window as shown in the image

To resolve this:

To fix this:

Go to Start | Run Type regedit

Navigate to HKEY_CLASSES_ROOT\Drive\shell as shown in the image

In the right window pane locate the value Default REG_SZ find
Double click on the value and change it to none

Enabling registry, task manager, folder options without the help of third party softwares

2010-01-26T12:49:00.004+05:30

Some times registry and task manager are disabled by virus or malware programs, if you do not have a third party tools to enable it, use the reg command to enable them.

For Windows XP Home

Copy and paste the below command in Start -> Run for task manager

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Copy and paste the following command in Start-> Run

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

Copy and paste the following commands in Start-> Run for enabling folder options

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /t REG_DWORD /d 0 /f

For Windows XP Professional (Using the Group Policy Editor)

For Enabling registry

Click Start, Run and type gpedit.msc and press ENTER

Go to the following location:

User Configuration->Administrative Templates -> System

(Only to reverse virus effects)
Double-click Disable registry editing tools and set it to Disabled then Enabled and then Not configured.

For Task Manager

Click Start, Run, type gpedit.msc and click OK.

Go to the following location:

User Configuration ->Administrative Templates -> System -> Ctrl+Alt+Delete Options- >Remove Task Manager

Double-click Disable registry editing tools and set it to Disabled then Enabled and then Not configured.

For Folder options

Start->Run->gpedit.msc

Navigate to User Configuration -> Administrative Templates-> Windows Components->Windows Explorer.

Remove the Folder Options menu item from the Tools Menu

Double-click Disable registry editing tools and set it to Disabled then Enabled and then Not configured.

Secunia PSI detected PowerPoint viewer 2007 as an insecure program on a fully patched Microsoft Windows system

2009-12-12T13:41:00.002+05:30

Secunia PSI detected C:\Program Files\Microsoft Office\Office12\PPTVIEW.EXE was insecure on a fully patched Windows operating system. I have Office 2007 Enterprise SP2 fully patched on my system. I was not able to get the update from Windows update site either. I downloaded and tried installing "Security Update for PowerPoint Viewer 2007 (KB970059)" but it said "There are no products affected by this package installed on this system".

So I visited Secunia forums and searched for solution. In one of the threads there was a solution mentioned which worked for me.

First rename the present version of PPTVIEW.EXE to PPTVIEW.EXE_OLD in "C:\Program Files\Microsoft Office\Office12\" then download 7-zip from http://www.filehippo.com/download_7-zip and install it. Now download Security Update for PowerPoint Viewer 2007 (KB970059) . Right click on the downloaded file on the desktop -> scroll down to 7Zip and select Extract to as shown in the image

Then find PPTVIEW.EXE_0001in the extracted files and rename it to PPTVIEW.EXE.
Copy and paste it in the following location C:\Program Files\Microsoft Office\Office12\

Now rescan entire system with Secunia PSI it should show powerpoint viewer 2007 in the patched programs list. Visit http://secunia.com/community/forum/thread/show/2624/insecure_but_can_t_get_the_update for more information on this patch.

Free 3 user mcafee virus scan plus 2010 trial license for one year

2009-11-08T17:46:00.001+05:30

Mcafee is offering a free 12 month trial of its product 3 user Mcafee Virus scan plus 2010 This promotional offer has been started by vmware. To get Mcafee trial visit this link http://us.mcafee.com/en-us/affiliates/vmware/landingpages/16288.asp?cid=48523

Click on the Download trial button

Create an account by filling in details and click I agree

Click on Download button and again click on Download button your mcafee product installation will start automatically in internet explorer if it is firefox you have to double click on dmsetup.exe file which will start installation of Mcafee.

Preventing browser hijacks

2009-10-09T13:10:00.007+05:30

Browser hijacking is one of the methods of taking control of internet browser by installing unknown addons without any approval. This technique can be used to install malicious software that monitors your browsing habits or to send some sensitive personal information to hackers or to redirect your search to a malicious website which in turn will lead to installation of malware onto the computer.

Home page change, URL redirection, hyperlink redirection, Changes in the hosts file, lots of pop ups which may include obscene pop ups are symptoms of a browser hijack.You may not be able to browse security related websites and it may also lead to DNS Hijack.

Browser hijacking software may install itself as a legitimate program and take complete control of your system.

Prevention tips:

To prevent browser hijacking you need to be little cautious while installing freeware or shareware programs as these programs are bundled with unwanted toolbars and addons.

Enable automatic update and keep your computer up to date.
Install Antivirus or Antispyware programs like Ad-aware or Spybot if you have windows defender make sure it is up to date.
Most of the browsers now come with internal phishing filters which will enable you to identify a fake website from legitimate ones, so make sure phishing filter is enabled in your browser.
Use a good anti-virus which has features like on demand scan, real time protection, real time scanner, anti phishing, web browser protection.Make sure your antivirus is up to date.
Make sure Internet explorer is running in protected mode.

if your browser is already hijacked you can use these tools to reset the registry entries:

Autoruns
Hijack this

For more information on these tools please visit http://infosecurityhub.blogspot.com/2009/08/utilities-for-tracking-malware-hiding.html

Also you can refer to this link for more tools: http://aumha.org/a/parasite.htm

Free anti-malware tool from Microsoft

2009-10-06T12:34:00.003+05:30

Microsoft security Essentials is a free anti-malware from Microsoft. It provides real time protection for your PC against malware, spyware, viruses and other malicious software free. It has features like
Scheduled scan
Quick, full and custom scan
Automatic updates without user interaction
Real-time protection
File exclusions
Microsoft SpyNet

It has four tabs:

Home tab which contains scan options like Quick Scan, Full scan and Custom scan. Quick scan scans critical areas of system like registry, start up etc. Full Scan scans the entire system and Custom scan is for scanning specific areas of system.

Update tab allows you to run a manual update of malware signatures.

History tab contains Quarantined items, detected items and items that are allowed to run.

Settings tab contains various settings of security essentials including Microsoft spynet membership settings.

Microsoft spynet is the online community that helps you choose how to respond to potential threats in case you don't know what to do. It is also responsible for preventing threats from spreading around.

System requirements:

Genuine Windows XP, with a CPU clock speed of 500 MHz or higher, and 1 GB RAM or higher.
Windows Vista and Windows 7 with a CPU clock speed of 1.0 GHz or higher, and 1 GB RAM or higher.
VGA display with a resolution of 800 × 600 or higher.
140 MB of available hard disk space.
An Internet connection is required for installation and to download the latest virus and spyware definitions for Microsoft Security Essentials.
Internet browser( IE or Firefox)

Download Microsoft security Essentials:

Utilities for tracking Malware hiding in windows autostart entries

2009-08-29T11:16:00.018+05:30

When Malware infects a computer it automatically creates some autostart entries in windows autostart locations like

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

etc.

As Malware executes sometimes it will disable registry editor and task manager and msconfig so these utilities will help you to recover your system from malware.

Autoruns

This utility from sysinternals shows the programs that are configured to run automatically at windows startup.
These locations include startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.

It displays logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers.

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

RunAlyzer

RunAlyzer is a utility from safer-networking.org. It is a combination of a standard configuration manager and an advanced tool to locate and remove places where hijackers, spyware and other malware hide.

For more information on this tool and to download it visit http://www.safer-networking.org/en/runalyzer/index.html

RegAlyzer

RegAlyzer is a tool to browse and change the registry. It has improved search and Jump to key by command line parameter, jump to key by typing/copying it into dialog (instead of browsing)
,display of .reg file contents without importing it.

For more information on this tool and to download it please visit http://www.safer-networking.org/en/regalyzer/index.html

Process Explorer

Process Explorer is a better replacement for task manager it has many features which a normal task manager does not contain.

It shows a list of the currently active processes, including the names of their owning accounts, if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded. It also has a powerful search which quickly shows you which processes have particular handles opened or DLLs loaded. It is useful for tracking down DLL-version problems or handle leaks it is useful for application behavior analysis.

For more information on this tool and to download it please visit http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Hijackthis

This tool is useful in tracking internet explorer browser hijackers and it also gives insight into key areas of registry like startup locations and gives a list of processes running in your system which can be saved as a log which can be posted to forums for troubleshooting.

ADS Spy tool scans for alternate data streams, which some browser hijackers use to hide from spyware removers.

Download Hijackthis from here:

Download link1

Download link2

Download link3

Deleting Confidential information beyond recovery

2009-07-27T14:00:00.018+05:30

Any file system stores data on a storage device using an index table which links or maps to original data. When we delete a file, the operating system marks that memory or portion of the index table for reuse. So the actual information contained in the file is not deleted.

File header or index table contains

Filename, type
File attributes
Time and date of creation, modification
Starting cluster in the file allocation table
File size

Even if a file has been deleted it can be recovered by reconstructing the file header or index of that file, until the portion has been used or overwritten by some other information. This can be done using data recovery softwares like stellar data recovery or pc inspector file recovery etc. So if you want to delete a confidential or sensitive information beyond recovery use softwares like file shredder, Wipe disk or Eraser.

With file shredder you can remove files from your hard drive beyond recovery. In File Shredder you can choose between 5 different shredding algorithms, each one gradually stronger than the previous one. It also has integrated Disk Wiper which uses shredding algorithm to wipe unused disk space. It is a freeware

Eraser is an advanced security tool for Windows which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 98, ME, NT, 2000, XP, Vista, Windows Server 2003 and Server 2008. It is a freeware.

Download file shredder

Download Eraser

Encrypt data on storage devices to secure confidential information

2009-07-20T19:59:00.009+05:30

If you have confidential information on your computer and you want to protect it, use disk encryption software like TrueCrypt. TrueCrypt is a free open-source disk encryption software it works on Windows Vista/XP, Mac OS X, and Linux.

It has On-the-fly encryption feature which encrypts or decrypts data automatically right before it is loaded or saved, without any user intervention. No data stored on an encrypted volume can be read (decrypted) without using the correct password/keyfile(s) or correct encryption keys. Entire file system is encrypted (e.g., file names, folder names, contents of every file, free space, meta data, etc).

Main Features of TrueCrypt:

Creates a virtual encrypted disk within a file and mounts it as a real disk.
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Encrypts a partition or drive where Windows is installed (pre-boot authentication).
Encryption is automatic, real-time (on-the-fly) and transparent.
Parallelization and pipelining allow data to be read and written as fast as if the drive was not encrypted.
Provides plausible deniability, in case an adversary forces you to reveal the password:
Hidden volume (steganography) and hidden operating system.
Encryption algorithms: AES-256, Serpent, and Twofish. Mode of operation: XTS.

Download TrueCrypt from here. For more information on this software visit this link

Manual removal of Win32 Sality.aa

2009-06-26T10:04:00.004+05:30

This is a polymorphic virus it loads in the startup as a driver

Creates following files and registry entries:

%System%\drivers\.sys it is "infuo.sys" in my case(but this file is hidden) in system32\drivers loads as a driver so it has capability to block antivirus sites.

HKCU\Software\"username"914

For example:
HKCU\Software\Administrator498

HKCU\Software\Administrator914

It adds the following text to the "system.ini" file located in the %Windows% directory:
[MCIDRV_VER]
DEVICEMB=random number

it disables windows firewall by executing the following command

"netsh firewall set opmode disable"

it adds following entry to firewall through registry:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\"" = ":*:Enabled:ipsec"

It deletes and modifies the following registry entries:

HKCU\System\CurrentControlSet\Control\SafeBoot
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList
HKLM\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

It also modifies Hidden files entry in the registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

Modifies the dword "Checked value" from 1 to 0

It also disables Registry Editor and Task Manager by adding these registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskMgr = dword:00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = dword:00000001

Terminates major antivirus software services

Prevents access to security related sites and antivirus sites

Also disable settings related to system security. It does this by adding the following registry entries:
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\UacDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusDisableNotify= dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UpdatesDisableNotify = dword:00000001
HKLM\SOFTWARE\Microsoft\Security Center\Svc\UacDisableNotify = dword:00000001

For more information on this virus please visit this link

Manual Virus removal instructions for an infected system:

1.Download this rarfile from this link

2.Extract the contents to desktop, open cmd and type "netsh winsock reset" without quotes

3.Execute the file regtools.vbs by doubleclicking it

4.Now Execute the XP_reg.reg file by doubleclicking it click yes in the dialogbox that appears.

5.Execute the file regtools.vbs by doubleclicking it again.

6.Now execute the assoc.reg file by doubleclicking it click yes in registry prompt.

7.Execute the file regtools.vbs by doubleclicking it again.

8.Now open registry editor Go to start->Run->type "regedit" without quotes press enter
sometimes you need execute the script again and again to open regedit after opening registry editor do not close it.

9.Now in registry editor navigate to HKCU\software and delete the entry that contains your "username"

10.Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and delete all values in right window pane

11.Now navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Run and delete all values in right window pane

12.Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and delete Disabletaskmgr value. If task manager is not working use process explorer

13.Now qiuckly press Crtl+Shift+Esc it opens task manager.

14.Now quickly figureout processes that are running without your interaction like notepad.exe
or Winmine.exe ( these are files which I did not open but were running in task manager in my system.

15. Now after figuring out any exe files running without your interaction (even if they are legitimate microsoft files they are affected by virus) delete those files from system32 and by using Unlocker. get unlocker here.

16.Now Go to Run type CMD press enter, now type sfc /scanow and insert XP cd to restore system files that are modified.

17.Now download autoruns.zip extract the contents open autoruns.exe click on drivers tab in autoruns and delete abp470n5 value from drivers section.

18.Now open Run->type sysedit->goto system.ini and delete
[MCIDRV_VER]
DEVICEMB=random number

19. Now navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies and delete all values in right pane. Also delete all startup items present in "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" and "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" because all executables are infected even antivirus entries should be deleted. Also clean all temporary files and clean prefetch in windows

20. Now also doubleclick the safeboot registry entries for restoring safeboot

21.Download malwarebytes and run it

21.Now restart the system and install kaspersky trial version or use the tool given below and scan all files.

Win32/Sality.aa removal tools:

Run this tool on an infected system to remove the infection

download tool from kaspersky:

Link1

Link2

Disabling Usb storage devices in windows

2009-06-10T17:25:00.007+05:30

To prevent data theft from computers disabling USB storage is important.

Follow these instructions to disable USB storage device

If a USB storage device is not already installed on the computer

If USB storage device is not installed Apply Deny permissions to the following files:

%SystemRoot%\Inf\Usbstor.pnf
%SystemRoot%\Inf\Usbstor.inf
%SystemRoot%\system32\drivers\usbstor.sys

If you deny permissions to above files users will not be able to install a USB storage device on the computer.

To assign a user or group Deny permissions to the Usbstor.pnf, Usbstor.inf and Usbstor.sys files follow these steps:

Click on Start -> Run type %SystemRoot%\Inf.
Find Usbstor.pnf. Right-click the Usbstor.pnf file, and then click Properties.
Click the Security tab.
In the Group or user names list, click the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

Note Also add the System account to the Deny list.
Right-click the Usbstor.inf file, and then click Properties.
Click the Security tab.
In the Group or user names list, click the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

Click on Start -> Run type %SystemRoot%\system32\drivers
Find Usbstor.sys. Right-click the Usbstor.sys file, and then click Properties.
Click the Security tab.
In the Group or user names list, click the user or group that you want to set Deny permissions for.
In the Permissions for UserName or GroupName list, click to select the Deny check box next to Full Control, and then click OK.

The above steps will prevent users from installing USB storage device.

If USB storage is already installed then follow these steps

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.
Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
Exit Registry Editor.
USB storage device will be disabled

Connect a usb flash drive (pen drive) and check it is not detected

Even after following above steps if it is not disabled then follow the these steps:

Click Start, and then click Run.
In the Open box, type regedit, and then click OK.

Locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet1\Services\UsbStor

In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
Now Navigate to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet2\Services\UsbStor
In the details pane, double-click Start.
In the Value data box, type 4, click Hexadecimal (if it is not already selected), and then click OK.
Exit Registry Editor.

Now connect USB flash drive it will not be detected.

Note:Disabling USB storage device does not effect connecting USB keyboard or USB mouse to your computer. It will only disable USB storage device.

Increase internet speed using Tcp optimizer and Half-Open

2009-06-08T16:48:00.003+05:30

You can increase your internet speed using tcp optimizer

The program can aid both the novice and the advanced user in tweaking related TCP/IP parameters in the Windows Registry, making it easy to tune your system to the type of Internet connection used. The tool uses advanced algorithms, and the bandwidth*delay product to find the best TCP Window for your specific connection speed. It provides for easy tuning of all related TCP/IP parameters, such as MTU, RWIN, and even advanced ones like QoS and ToS / Diffserv prioritization. The program works with all current versions of Windows, and includes additional tools, such as testing average latency over multiple hosts, and finding the largest possible packet size (MTU).

Open tcp optimizer in the tcp optimizer window select optimal settings radio button Click on apply changes and click on OK and Click on No when it asks for reboot

get the tcp optimizer here

After tweaking MTU you can use half-open to change the tcp ip connection limit Half-open limit fix is a program designed to change the maximum number of concurrent half-open outbound TCP connections (connection attempts) in the Windows system file tcpip.sys. Microsoft first introduced this limit in Windows XP SP2 (Service Pack 2) and is present in all later versions of Windows. This was done to try to slow the spreading of viruses and malware from system to system and also to reduce the impact of infected systems participating in DoS (Denial of Service) attacks. This limit makes it impossible for Windows systems to have more than 10 concurrent half-open outbound connections. After 10, new connection attempts are put in a queue and forced to wait. Therefore, the speed of connection to other computers is actually limited. P2P (peer-to-peer) programs (µTorrent, BitComet, eMule, P2P TV etc.) are generally the most affected programs. As they use up all 10 of the half-open connections, other Internet activity, especially the loading of web pages, can be extremely slow. The delay before the beginning of opening can make some tens seconds. This happens regardless of the speed of your Internet connection. Half-open limit fix takes care of this problem by increasing the maximum limit of half-open connections. For the overwhelming majority of Internet users, changing the limit to 100 will be more than sufficient.

get half-open here

now open half limit and select the language as English and click on add to tcpip.sys.

This will improve the internet performance on your DSL and cable internet lines. If you want you can restore the settings also by clicking on restore original file because sometimes your ISP router may have a limit on no of tcp ip connections.

If you have firefox you can install tweak network addon to improve the speed in firefox

after installing tweak network restart firefox and open tools menu-> tweak network click on OK now click on power and click on OK.

Hide your IP address and surf internet anonymously

2009-06-08T16:34:00.004+05:30

UltraSurf is a proxy server that beats the rest of the proxy servers on the net by offering features that others do not including login, flash files, java script, orkut, youtube, and file downloads, file uploads. Along with this you will not have any annoying ads or annoying pop ups and you will travel at faster speeds than you can imagine.

you will be able to bypass the firewalls that are put there to ensure you do not visit websites your company or school do not want you to view. You may not realize this, but many companies and universities block access to various social websites, thus stopping your freedom. With the UltraSurf, you will be able to browse all the social websites such as Facebook, Youtube, Myspace, Orkut, Hi5, and Linkedin to name a few of the most popular.

Note:

It works only with Internet Explorer
The proxies are from US only
You can not choose the proxy to use

Note: To use ultrasurf with firefox download this addon

Download firefox addon

Download it and open it with firefox to install it now enable it by clicking wjbutton at the bottom right corner of firefox window. Now open ultrasurf and browse internet.
http://www.ultrareach.com/downloads/ultrasurf/wjbutton_en.zip

Download it from here:

http://www.ultrareach.net/downloads/ultrasurf/u94.zip

or use

GPass is a highly advanced software that can encrypt your online data, hide your IP address, and sidestep content filtering and monitoring using a number of secure channels to connect to the Internet and break through the Internet blockade. GPass supports the online applications that you use the most, including Web browsers (e.g. Firefox), multimedia players, email, instant messengers, download managers, and so on.

The software is free for personal use within selected countries where unjust Internet censorship is prevalent.

Supported applications include:
Web browsers such as

Internet Explorer or Firefox
Multimedia players such as Windows Media Player or Real Player
Email clients such as Outlook or Thunderbird
Instant messengers such as MSN, Skype, and Yahoo messengers Download managers such as wget and FlashGet

For more information visit:

http://gpass1.com/gpass/

Download gpass from here:

http://gpass1.com/gpass/download-en

Kamsoft CKVO.exe malware manual removal instructions

2008-09-29T01:07:00.007+05:30

Description: Troj/Gamania-BW

Name: Kamsoft

Command: C:\windows\system32\ckvo.exe

This malware creates following entries in registry so that it executes whenever windows starts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe

Attacks all drives and modifies mount points key in registry so that when you double click on drives they open in new window instead of opening in same window

Example:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}\shell\Autoplay\DropTarget

Resets the hidden files attributes.

Files associated with this malware that are hidden as system files in all partitions including C:\

39lpji.com
ktnquo.exe
vxl.exe
oq.cmd
fe.bat
kk3.bat
rs.cmd
autorun.inf

Files found in C:\windows\system32

ckvo.exe
ckvo0.dll
ckvo1.dll

Removal instructions:

Start the computer in safe mode by pressing F8 during booting

Open Registry Editor

Delete the value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Kamsoft"=C:\windows\system32\ckvo.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\

delete all the keys starting with {........}

Example:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{05ef6149-5e60-11dd-8a88-0003254ecf1b}

In the above key delete {05ef6149-5e60-11dd-8a88-0003254ecf1b}

Open the command prompt

go to C:\>

type attrib so you can see the hidden files in root drive

To clear the attributes of malware files type

attrib -s -h -r filename

Example: C:\>attrib -s -h -r autorun.inf
D:\>attrib -s -h -r autorun.inf

repeat the above command for all files of malware

To delete the virus files type

del filename

Example: C:\> del autorun.inf
D:\> del autorun.inf

repeat the above command for all files of malware

look for the files of malware in all other partitions and delete them.

go to c:\windows\system32>

type attrib -s -h -r ckvo.exe
attrib -s -h -r ckvo.dll
attrib -s -h -r ckvo0.dll
attrib -s -h -r ckvo1.dll
del ckvo.exe
del ckvo0.dll
del ckvo1.dll

Some files in system32 may not delete then you should logoff once and logon to delete any files associated with this malware

Now open Registry editor go to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

Change the DWORD value of Checked Value from 0 to 1.

Now go to folder options and change the hidden file attributes and show system files options. You should be able to see all hidden files.

Finally turnoff the system restore and turn it on again so the previous restore points will be deleted

Free personal firewalls

2008-09-12T12:14:00.002+05:30

A firewall can offer complete protection from inbound and outbound communications occuring from a system. It allows and denies communication based on a set of rules. It can help in saving internet bandwidth and also protects from hackers with intrusion prevention. It helps in preventing identity theft.

Below is list of free personal firewalls for windows

Comodo Firewall Pro 3.0.22.349 Get it now

Online Armor Personal Firewall 2.1.0.131 Free Get it now

PC Tools Firewall Plus 4.0.0.45 Get it now

ZoneAlarm free firewall Get it now

Rootkit Removal tools

2008-09-09T13:09:00.000+05:30

A rootkit is a program or a set of programs used to take control of a computer in future. This rootkit is installed by an attacker once he gains access to compromised system. A rootkit may alter the normal execution flow of an application by a process called "hooking". It can also hide itself by hiding the processes and registry keys belonging to it. A rootkit can be used by attacker in future to access the compromised computer at his will.

Below are the free rootkit removal tools

DarkSpy

DarkSpy Anti-Rookit is a multiway-based detection tool for rootkit detection. It internally combines many effective detection techniques, including DarkSpy's own handlers and also methods used by other famous tools.

Get it here

Rootkit Revealer

This rookit revealer freeware from sysinternals detects persistent rootkits on windows 4.0 and higher.

Get it here

Sophos Anti-Rootkit

It finds and removes any rootkit that is hidden on your computer using advanced rootkit detection technology.

Get it here

VPanda AntiRootkit 1.07

Deactivates any unknown rootkits found on your system. Various improvements have also been made to the disinfection of unknown rootkits, some false positives reported by some of you, and more deactivation routines.

Get it here

Free antivirus softwares

2008-09-09T12:25:00.000+05:30

BitDefender
BitDefender Free Edition is an on-demand virus scanner which incorporates BitDefender scanning engines. This is one of the top rated antivirus in reviews

Click here to get it.

Avast Home Edition
It is available free for home use. It provides continuous protection against all forms of malicious software (malware).

Click here to get it

Download links of other free antivirus softwares are listed below:
AVG Antivirus
Avira Antivirus
PC Tools Antivirus
Mcafee
PC Tools Threatfire

Services that need your attention in windows xp

2008-08-27T11:07:00.001+05:30

For securing standalone or workgroup computers of windows xp professional /home

Services which can be set to manual state are:

Recommended Setting: Manual

Application Layer Gateway Service

Application Management Service

Background Intelligent Transfer Service

COM+ Event System Service

COM+ System Application Service

Distributed Transaction Coordinator Service

Fast User Switching Compatibility Service

HID Input Service

HTTP SSL

IMAPI CD-Burning COM Service

Indexing Service

IPSEC Services Service

Logical Disk Manager Administrative Service

Machine Debug Manager Service

Network Connections Service

Network Location Awareness (NLA) Service

Network Provisioning Service

NT LM Security Support Provider

Performance Logs and Alerts Service

Portable Media Serial Number Service

Remote Access Auto Connection Manager Service

Remote Access Connection Manager Service

Remote Procedure Call (RPC) Locator Service

Removable Storage Service

TCP/IP NetBIOS Helper Service

Telephony Service

Terminal Services Service

Universal Plug and Play Device Host Service

Web Client Service

Windows Image Acquisition (WIA) Service

Windows Installer Service

Windows Management Instrumentation Driver Ext

WMI Performance Adapter Service

Services which can be disabled are:

Recommended setting: Disabled

Alerter Service

Clip Book Service

Indexing Service

Internet Connection Firewall (ICF)/Sharing (ICS)

Messenger Service

MS Software Shadow Copy Provider Service

Net Logon Service

NetMeeting Remote Desktop Sharing Service

Network DDE Service

Network DDE DSDM Service

QoS RSVP Service

Remote Desktop Help Session Manager Service

Remote Registry Service

Routing and Remote Access Service

Smart Card Service

Smart Card Helper Service

SSDP Discovery Service

Telnet Service

Uninterruptible Power Supply Service

Upload Manager Service

Volume Shadow Copy Service

Windows Firewall/Internet Connection Sharing (ICS)

Windows Time Service

Wireless Zero Configuration Service

This section presents an overview of the above mentioned services and why they need to be disabled.

Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.

You can use the alerter service to have Performance Monitor send you a network pop-up message or run a program when one of the counters exceeds a preset threshold. It is of no use for standalone system.

Application Layer Gateway Service
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall

Instead of sharing an internet connection through single system as gateway you can purchase a router and a switch to share an internet connection. A router has a built-in port filtering mechanism.

Automatic Updates
Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated.

You can disable automatic updates if you are updating windows manually

Background Intelligent Transfer Service
Uses idle network bandwidth to transfer data.

ClipBook Viewer
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.

Distributed Transaction Coordinator Service
This service is used to share information that is copied on to ClipBook to be shared on remote computers.

COM+ Event System Service
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.

COM+ System Application Service
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

If you disable this service COM+/OLE registration will not work
At every boot a warning will be in the Event Log

Distributed Transaction Coordinator Service
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.

MSDTC performs the transaction coordination role for components, usually with COM and .NET architectures. In MSDTC terminology, the director is called the transaction manager.

Fast User Switching Compatibility Service
Windows XP's new Fast User Switching feature allows one user to quickly access a computer without forcing another to log off or quit applications.

HID Input Service
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.

HTTP SSL
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.

IMAPI CD-Burning COM Service
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.

Indexing Service
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.

This service is used to extract content from files and construct an indexed catalog to facilitate efficient and rapid searching.

Internet Connection Firewall (ICF)/Sharing (ICS)
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

Disable Internet Connection Sharing (ICS) and Firewall services use third party firewalls
or an Internet security suite securing your computer

IPSEC Services Service
Manages IP security policy and start the ISAKMP/Oakley (IKE) and the IP security driver

If connecting over an IPSEC secured connection you have to have this service Enabled.

Logical Disk Manager Administrative Service
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.

This service is important as it monitors hard disk drives and works in conjunction with disk management.

Machine Debug Manager Service
Manages local and remote debugging for Visual Studio debuggers

Messenger Service
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.

MS Software Shadow Copy Provider Service
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed.

Works along with Volume Shadow Copy Windows ntbackup utility. it is useful service for cloning of disks

Net Logon Service
Supports pass-through authentication of account logon events for computers in a domain

This service is useful for authenticating users for domain logon

NetMeeting Remote Desktop Sharing Service
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start

Network Connections Service
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections

Network DDE Service
Provides network transport and security for Dynamic Data Exchange

Network DDE DSDM
Manage shared DDE communications from shares like \\computername\ndde$

Network Location Awareness (NLA) Service
Collects and stores network configuration and location information, and notifies applications when this information changes

Network Provisioning Service
Manages XML configuration files on a domain basis for automatic network provisioning

NT LM Security Support Provider Service
Provides security to remote procedure call (RPC) programs that use transports other than named pipes

Performance Logs and Alerts Service
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert

Portable Media Serial Number Service
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device

QoS RSVP Service
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets

QoS functions as a load balancer between applications by shifting bandwidth for the applications when needed

Remote Access Auto Connection Manager Service
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address

Remote Access Connection Manager Service
Creates a network connection

Remote Desktop Help Session Manager Service
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box

For remote desktop the Remote Desktop Help Session Manager Service should be enabled

Remote Procedure Call (RPC) Locator Service
Manages the RPC name service database

Remote Registry Service
Enables remote users to modify registry settings on this computer

Removable Storage Service
Removable Storage works together with your data-management applications. It makes possible for multiple applications to share the same storage media resources

Routing and Remote Access Service
Offers routing services to businesses in local area and wide area network environments

Smart Card Service
Manages access to smart cards read by this computer

If you use a smart card for authentication (logging into computer) enable this service

Smart Card Helper Service
Enables support for legacy non-plug and play smart-card readers used by this computer

SSDP Discovery Service
Enables discovery of UPnP devices on your home network

TCP/IP NetBIOS Helper Service
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution

Telephony Service
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service

Telnet Service
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers

Terminal Services Service
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers

Uninterruptible Power Supply Service
Manages an uninterruptible power supply (UPS) connected to the computer

Universal Plug and Play Device Host Service
Provides support to host Universal Plug and Play devices

Upload Manager Service
Manages synchronous and asynchronous file transfers between clients and servers on the network

Volume Shadow Copy Service
Manages and implements Volume Shadow Copies used for backup and other purposes

Web Client Service
Enables Windows-based programs to create, access, and modify Internet-based files.

This allows users to connect directly to online storage service such as Apple Idisk by using WebDAV protocol

Web-based Distributed Authoring and Versioning or WebDAV, is a protocol which allows users to collaboratively edit and manage files on remote World Wide Web servers

Windows Image Acquisition (WIA) Service
Provides image acquisition services for scanners and cameras

Windows Installer Service
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package

Windows Management Instrumentation Driver Extensions
Provides systems management information to and from drivers

Windows Time Service
Maintains date and time synchronization on all clients and servers in the network

Wireless Zero Configuration Service
Provides automatic configuration for the 802.11 adapters

If you disable wireless zero configurations you have to configure wireless networking manually

WMI Performance Adapter Service
Provides performance library information from Windows Management Instrumentation (WMI) providers to clients on the network

Also see Security options Configuration

Least privilege policy for windows XP

2008-08-21T12:35:00.000+05:30

We should never leave the administrator account with a blank password. Users should have the least rights that are needed to perform there tasks. It is recommended to disable the guest account and always browse internet with the least privilege principle applied. For this you need to create a user account with limited rights. You can do this by using computer management.

Right click on My Computer, go to Manage, Local users and Groups.
Right click in the right window pane select new user and specify the username and password.
Uncheck user must change password on next log on and create the user. This user by default will not have admin rights.

Also enforce the password complexity rule in account policies snap in in group policy, Also specify account lock out duration and no of invalid attempts for locking the account. If you enable this policy by default the account will unlock after the time you specified in account lock out duration.

follow the steps mentioned below for password policy configuration:

Go to Start, Run, type gpedit.msc

In the Group Policy Editor and under Computer Configuration, expand Windows Settings, expand Security Settings, expand Account Policies, and then click Password Policies.

Double-click Enforce password history, set the value of Keep password history to 24, and then click OK.

Double-click Maximum password age, set the value of Password will expire in to 42, click OK, and then click OK to accept a suggested value change for the Minimum password age.

Set the minimum password age to 1 or 2

Double-click Minimum password length, set the value to 8, and then click OK.

Double-click Password must meet complexity requirements, select Enabled, and then click OK.

Double-click Store passwords using reversible encryption, select Disabled (default), and then click OK.

password-secure your screen saver

In Group Policy Editor, go to User Configuration, expand Administrative Templates, expand Control Panel, and then click Display.

In the details pane, double-click Password protect the screen saver, select Enabled

Also see Other security settings

firewall and antivirus are mandatory

2008-08-21T12:08:00.000+05:30

Firewall is a device or software which permit, deny, encrypt, or proxy all the information passing through it based on rules configured in to it.

Firewalls are systems designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both Hardware and Software, or a combination of both.There are so many firewalls which offer stateful packet inspection, deep packet inspection, applicaton layer firewalls,proxy firewalls.

Windows has a built firewall for xp but it offers only inbound protection. A firewall should be able to stop the internal processes from outbound communication also so that if a virus attack happens any outbound intenet communication is denied by default.

Topmost personal firewalls include Zone Alarm, Kaspersky Internet Security Suite which offers complete protection with web antivirus,firewall,file antivirus etc. Comodo firewall also offers a good protection on outbound communication. Even if you have a firewall if you did not configure it properly it will result in poor security.

You should configure in such a way that only necessary programs should be able to communicate and deny all other programs. Comodo offers a parental control feature to control the alerts that you will recieve from the firewall if you put a password there is an option to suppress the firewall alerts and defense alerts. if you use comodo you should install a antivirus solution also.

Bitdefender is also an internet security suite offering the same protection as kaspersky and also tops the 2008 antivirus reviews.

In kaspersky you should configure the firewall in high security mode so it will not show any alerts and denies the outbound communication if that program is not configured to use internet by default.

Also see scan for missing patches

Use Simplite for messenger encryption

2008-08-21T11:51:00.000+05:30

Simplite is a messenger encyption software it encrypts messages before they leave your computer to the Internet, SimpLite prevents eavesdroppers from reading your Messenger conversations. if you are using yahoo messenger use simplite for yahoo and for msn use simplite for msn messenger. Simplite is a free messenger encyption software.

Get this software here

Few more security settings for enhanced security

2008-08-21T11:11:00.000+05:30

Security tab:

Enable the security tab that appears in the folder properties tab by disabling the simple file sharing that is enabled by default in windows XP. This setting applies only for NTFS partitions. FAT32 partitioned drives are not as secure as NTFS. This security tab can be used to specify restrictions on an file or a folder for a purticular user whether he can access it or not.

Disable Autorun Feature:

Some malicious software uses Autorun feature that makes any program run automatically when you insert a flash drive or a CD. You can disable autorun feature for all drives or for specific drives.

To disable autorun:
For XP Pro:

Open Run from start menu

Type gpedit.msc and click OK

The Group Policy snap in will open.

Go to Computer configuration, Administrative Templates

In the right pane, double-click System

Scroll down the list and double-click Turn Off Autoplay, in the Turn Off Autoplay Properties window, select Enabled.

From the dropdown next to Turn Off Autoplay on, select All drives and Click Ok.

Go to User Configuration, Administrative templates follow the above proceedure for this also.

For XP home users:
Go to Start, Run type regedit and press enter

Navigate to the following key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer.

Select the key Explorer and in the right-pane right click the value NoDriveTypeAutoRun
select Modify select Hexadecimal.Type 95 and click OK.Exit the registry editor.

If it is no present create a DWORD value NoDriveTypeAutorun an then assign the hex value

Also see firewalls and antivirus

Scan your system for missing patches

2008-08-21T10:46:00.000+05:30

Use tools like Secunia PSI from Secunia to scan for missing updates and applications that vulnerable and download the appropriate application or patch and apply it so that your system remains hard on any kind of attack or expliotation. Also remove the outdated applications for which the support ended so that your system remains less vulnerable or prone to attacks. For more visit www.secunia.com

Get Secunia PSI from here

Also see Simplite messenger encryption

Security Options Configuration for securing XP Professional

2008-08-21T10:01:00.000+05:30

The security options snap in contains options that can also be modified through registry. But its better to use this snap in instead of registry.

The security options that need a change to secure your system are listed below

Limit local account use of blank passwords to console logon only.Enable this setting local accounts with blank passwords cannot be used to connect to the machine from across the network.

Rename the default administrator account with a different name.Rename the guest account and also disable guest account for more security

Allow undock without having to log on. Disable this setting.

Restrict CD-ROM access to locally logged-on user only. Enable this setting.

Restrict floppy access to locally logged-on user only. Enable this setting.

Domain member: Disable machine account password changes. Disable this setting.

Do not require CTRL+ALT+DEL disable this setting if you require to have CTRL+ALT+DEL key combination enabled at the time of logon. This setting is enabled by default in domain controllers. Also yo need to disable welcome screen to enable this setting.

Number of previous logons to cache (in case domain controller is not available.Set this to 0.

Smart card removal behavior set this to lock workstation.

Send unencrypted password to third-party SMB servers. Disable this setting.

Allow anonymous SID/Name translation. Disable this setting.

Do not allow anonymous enumeration of SAM accounts. Enable this setting.

Do not allow anonymous enumeration of SAM accounts and shares. Enable this setting.

Do not allow storage of credentials or .NET Passports. Enable this setting.

Let Everyone permissions apply to anonymous users. Disable this setting.

Remotely accessible registry paths. Delete all settings.

Shares that can be accessed anonymously. Delete all settings.

Sharing and security model for local accounts. Set this to classic users authenticate themselves.

Do not store LAN Manager hash value on next password change. Set this to enabled

Allow system to be shut down without having to log on. Set this to disabled.

Clear virtual memory pagefile. Set this to enabled.

Strengthen default permissions of internal system objects (e.g. Symbolic Links). Set this to enabled.

Also see User rights assignment

User Rights Assignment

2008-08-21T09:33:00.001+05:30

User rights assignment snap in determines what actions the user will be able to perform. settings which require a change are explained below

To modify the user rights settings:

Local Policies → User Rights Assignment
Double-click on the desired Attribute in the right frame.
To add a user or group, Add User or Group → Enter user or group →
Add → OK → OK
To remove a user or group, select user or group → Remove → OK

Remove the power users group from all user rights.

Backup files and directories remove the backup operators

If you require backup operators for your network you can keep it however administrators are granted this right.

Bypass traverse checking give permission to users and remove all other groups

Debug programs is a right required for a developer otherwise remove all the users from this setting

Force shutdown from a remote system remove all groups except administrators

logon locally give this right to administrators and users group and also for backup operators if required.

Restore files and directories if you require backup operators assign the right for them or else you can remove all the groups except the administrators

Also see Least privilege policy

Security guide for windows xp

2008-08-19T18:13:00.000+05:30

Microsoft is providing a security configuratuion guide for configuring system security policies.This guide is intended for security specialists. This guide explains in detial about the user rights assignment group policy and services configuration.If you want this guide you can download it from this link

Factors that influence Information Security

2008-08-19T16:59:00.000+05:30

Information security for home users comprises of

Confidentiality: Information should be available only for the users who are authorized to access it.

Integrity: Information should be modified only by persons who has right to modify it.

Availability: Information should be available for authorized users when there is a need to access it.

Information or data is disclosed to unauthorized persons by below mentioned methods:

1. Malware

2. Spyware

3. Buffer overflow attacks

4. DOS and DDOS

5. Unprotected file sharing

6. Cross-site scripting

7. Email spoofing

8. Email viruses

9. Active x controls, JavaScript

10. Internet Relay Chat clients

Malware (Malicious software in short) is a program which is designed to cause damage or to gain access to a remote system without relying on vulnerabilities.

Spyware is software that is installed on a remote system on accessing a compromised website or an insecure system which is used to capture screenshots or keystrokes (key loggers) of a user.

Buffer overflow is a condition which occurs due to insufficient bounds checking of a program. It is a kind of software vulnerability. This occurs when a malicious user tries to insert data beyond the boundaries of fixed length buffer.

DoS or DDoS attack is an attack where the aim of the attacker is to make the resource unavailable for legitimate users. This is achieved by sending large number of external communication requests which results in consumption of available bandwidth.

Unprotected file sharing using a weak password over network results in compromise of the file sharing mechanism in windows which can be utilized by viruses and worms to spread over the entire network. Disable the file sharing if not required or use a strong password mechanism to prevent unauthorized access.

Cross-site scripting is a condition where a compromised or malicious website or a web application allows code injection by malicious users which results in site phishing attacks or browser exploitation to gain control over the attacked computer.

Email spoofing is a technique where a user receives a mail that looks as if it came from a legitimate source but was actually sent from another source.

Example: Emails claiming credit card numbers, passwords etc.

Email viruses come from attached files when a user clicks on the attachment that is not from a legitimate source.

Active x controls, JavaScript may contain scripts or controls that may harm your computer and compromise it.

Internet Relay Chat clients are mainly designed for discussions over forums and channels which also allows private communication. IRC communication can also result in DoS attacks.

To reduce the risk of the above mentioned attacks we need to harden our operating systems accordingly