Windows 7 can be encrypted with TrueCrypt very easily, and at no cost to you. TrueCrypt operates in a variety of ways, however for this blog we will focus on pre-boot Operating System encryption for the storage device i.e harddrive, so that a password is required to access the data once the computer is turned on, and prior to it booting into Windows.

It is possible to encrypt a single file or partition with TrueCrypt in Windows, however the below guide focuses on encrypting the whole physical disk from bootup.

Windows 7 encryption with TrueCrypt

1. Download TrueCrypt for free at truecrypt.org (64bit and 32bit versions of Windows 7 are supported).

2. Launch the setup Wizard, except the terms and conditions and press Install.

3. Leave all options default and TrueCrypt will create all the necessary desktop icons, and file associations. TrueCrypt will also create a restore point for you to roll-back with in the event of any problems when installing the software.

4. After the install completes, launch the TrueCrypt blue icon from the desktop. From the top menu, select System > Encrypt System Partition/Drive.

5. Read both options on the screen and either select Normal or Hidden. We will select Normal for this guide. On the next screen select if you wish to encrypt only the Windows partition or the whole drive. In this example we will encrypt just the Windows partition. Remember that if you have multiple partitions with sensitive data on them on one single drive, you should select the whole drive option.

6. Select the option that corresponds to your setup, on this occasion we are focusing on encrypting a single operating system, so we will select the Single-Boot option.

7. By default TrueCrypt offers us AES (Advanced Encryption Standard) which is sufficient for the average person. Note that if you select a more complex encryption method, such as Serpent, Twofish & AES then performance will be negatively affected.

8. On the next screen, enter your decryption password, this is very important, do not forget it! You will be prompted for it each time you turn your computer on to decrypt the Windows partition.

9. After passing the next steps by moving the computer Mouse, generating the keys and creating a rescue disk (you will need a blank CD) you are ready to encrypt the Windows 7 partition.

10. Complete the process of encrypting your system by pressing next. This can take some time, so be patient. Once you next reboot, you will be prompted with a password to access Windows. See image below.

Congratulations, you now have Windows 7 encryption for free!

This software has now been replaced with Fing for Windows.

Fing is a small lightweight command line tool for Windows, Mac, Linux and Mobile devices that lets you scan and discover active hosts on your network. It also lets you detect the running services on each host and will allow you to export the data into a variety of formats. Look@Lan for Windows is currently being redeveloped by Overlook software to form part of a new GUI release, which is expected to be released shortly.

Fing for Windows is currently increasing in popularity, it allows fast scanning and constant host detection with its default loop feature, which is ideal for constantly flagging up any new hosts on your network.

Fing has a built in command to simplify the scanning process and let you learn the available switches. This command can be used in the following way:

fing -interactive 

This command will perform fing discovery on a specified host and automatically explain the available switches to you. Fing is now the replacement tool for Look@LAN which is no longer supported on Windows 7

Look@LAN for Windows still works on Microsoft Windows XP and 32bit Operating Systems. You can download it from CNET.

What is a botnet

Botnets are large groups of computers that have been infected by a network worm. These are like viruses only with fewer noticeable effects, and are often designed to serve a purpose, which is in most cases to perform large network attacks against other computers, or to commit fraud by harvesting data from the infected PC’s (zombies). Often network attacks are used in an attempt to extort money from victims, often businesses operating large websites such as Poker websites. Harvesting of data such as credit card information or personal details of the victims themselves to sell on to the black market for around $10 a pop. This is why botnet detection is important, and if you feel your PC may have become infected you should read on!

Botnet detection and removal

Firstly we need to take a baseline reading of your PC activity, to confirm you are most likely infected with a network worm. The first step is to download a user friendly TCPView tool by Sysinternals/Microsoft. This shows what programs are running on your computer and if they are connecting out to the internet. A quick Google search will allow you to find and install TCPView. Take a look below at the screen shot.

What to look for in Tcpview (Click to Enlarge):

1) Lots of green connections being constantly established. This means the worm is scanning or attacking other websites. In this example you can see the victim has had his internet explorer infected (iexplore.exe) and it is scanning websites. You can tell this as there are lots of iexplore.exe processes open and many green established connections.

2) High port numbers often indicate a hijacked or rogue executable file is running on the system. In this example you can see the iexplore is running on a high local port ’59698′. This is probably the controlling port, and allows the botmaster to control the botnet. Although in this example you see all the remote ports as http (80) that is not always the case. Port 80 is the www port, which websites operate over, and it could be the botmaster is being controlled via a website. A lot of the time botnets connect up to higher remote ports also, these are common port numbers to watch out for:

6667, 7000, 3267, 5555, 4367

If you see remote connections to these ports and you are not chatting to someone on Internet Relay Chat (IRC) we would highly advise running the tool RUBOTTED by Trendmicro to aid in botnet detection and removal.

After you have run this tool, be sure to check TCPView again after a fresh reboot, and check the level of active connections leaving your computer. If you still have further problems, we recommend doing a free online virus scan that ESET provide.

Staying clean after botnet detection and removal

1) Maintain your Anti Virus by renewing your annual subscription, and ensure it is updated automatically every day. Ensure your PC is kept up2date with Windows/Mac/Linux system updates and security patches for the software running on it.

2) Avoid BAD websites, don’t click on popup adverts, just cross them off, or if need be kill the process.

3) If you are comfortable with controlling what applications have access to the internet install a free firewall such as the one Comodo provide.

Compile error in hidden module: AutoExec

Compile error in hidden module: DistMon

Compile error in hidden module: AutoExecNew

These errors occur if your startup file in Microsoft Word or Excel has become corrupt, this can happen due to malware or a plugin that has corrupted the files:

ComctlLib.exd
MSComctlLib.exd

To stop the error from appearing when you start Microsoft Word or Excel, do the following:

1) Close all Microsoft Office products that you have open.

2) perform the following, depending on your operating system

If in Windows XP open the following folder and rename the two files above so that they end in .old

C:\Documents and Settings\USERNAME\Application Data\Microsoft\Forms     where USERNAME is the current user

If in Windows Vista open the following folder and rename the two files above so that they end in .old

C:\Users\USERNAME\AppData\Roaming\Microsoft\Forms   where USERNAME is the current user

If in Windows 7 open the following folder and rename the two files above so that they end in .old

C:\Users\USERNAME\AppData\Roaming\Microsoft\Forms     where USERNAME is the current use

3) After renaming the files open the Microsoft Office products, e.g Excel and you will see the error has gone.

This compile error in hidden module fix was researched and tested on Microsoft Office 2010 products using Windows 7 64bit Edition.

To kill the process, simply launch Windows task manager (ctrl + alt + del) and end the task, or right click on the task and select ‘Go to process’ and press the ‘End Process’ button. As this can often leave random executable files running we urge you to give combofix time to complete prior to aborting the process. If you do have to kill combofix using the above technique, be sure to reboot or your internet may not work!

Combofix is very easy to uninstall and can be done using a cleanup tool known as OTC by Oldtimer.

How to uninstall combofix

1) Download OTC by OldTimer (a quick google search will find you the file, save it to your desktop.

2) Run the OTC.exe file and click on the ‘Cleanup’ button to uninstall combofix.

3) At the end of the process OTC will prompt you to reboot. Reboot your PC and all of combofix and its associates files and folders that it creates including the setup file combofix.exe will be removed. OTC.exe even removes itself after the reboot has been completed.

This is how to uninstall combofix as of April 2012, as the previous method using combofix.exe -u is no longer supported.

This guide explains how to use combofix, and when you should use it. Please note that combofix can damage your computer if not used correctly, so always seek professional help prior to running this software if you are unsure of any aspect about its usage.

When to use combofix

Combofix should be used if you have malware on your PC. It is particularly good at removing windows rootkits and unhooking rogue dll and exe files from your systems processes. I would always attempt to scan and clean your computer first with the more user friendly Malwarebytes, which is another great free program for removing Malware/Spyware.

How to use combofix

1) Download combofix.exe from bleepingcomputer.com

2) Prior to running combofix shut down all applications, including any web browsers, and disable your antivirus by right clicking on it and disabling protection.

3) You can now run the combofix.exe and a blue screen will load up, and prepare the application. Combofix will automatically attempt to create a system restore point, so in the event of any problems you can restore your PC back to its prior state.

4) Before the combofix scan begins it will install the recovery console which is used to run various microsoft commands against your system i.e in the event it needs to repair a bootsector from a virus attack.

5) Once installed the blue screen can commences and you do not need to do anything else to use combofix, it will automatically scan and attempt to remove rootkits and malware. As it scans through up to 50 phases, it will inform you on screen.

6) If any harmful files are found when combofix is in use, you will be notified with a popup box and the severity of the threat, and what to do to fix the issue (normally it asks you to reboot). Let the scan complete first.

7) Once the scan is completed a log will be generated and dumped into C:\combofix.txt for you to upload to experts on bleeping computer’s forums to further assist in the groups research and development, and if needed assist you in removing malware should combofix be unsuccessful.

A typical screen of combofix when it’s running:

If you have further questions about how to use combofix please post on bleeping computers forums.

Recommended Nmap Command Syntax: 

nmap -v -sS -sV -O -Pn -f target

Nmap Commands explained

nmap -v

Explanation: Sets the nmap into verbose mode. You can increase this by adding more ‘v’s e.g nmap -vv

Advantage: Gives you more information to play with

nmap -sS

Explanation: Sets the nmap to scan using TCP Stealth SYN (establishes a half open connection to the target then terminates the connection if the connection is accepted)

Advantage: As you are not establishing a full connection to the target, there is less chance of being logged. You will need a root account to run this scan and use this nmap command.

nmap -sV

Explanation: Sets nmap to scan for active running services information and version details on the target.

Advantages:  Helps gather additional intelligence when you wish to find out further information about other services running on the target.

nmap -O

Explanation: Sets nmap to attempt operating system detection

Advantage: Helps you find out the OS the target is running

nmap -Pn

Explanation: Sets nmap to ignore ping / host up response

Advantage: Some hosts have ping response disabled on the internet. This assumes all hosts are up, even if they do not respond to ping.

Nmap Commands to help bypass Intrusion Detection Systems (IDS)

There are several ways to confuse or help bypass IDS on targets. The easiest way is to use the switch below. You may also want to look into the Decoy switch (-D) and the Source (-S) switch to help spoof your IP address.

nmap -f (Linux/BSD only recommended)

Explanation: this fragments packets, breaking up the TCP header over several packets so the target host IDS is unable to recognise an incoming scan.

Advantage: Helps to bypass common IDS/IPS on the target.

About Nmap for Windows

Nmap is a fully feature network scanner, that is one of the most popular free tools in the IT security sector. Although Nmap’s roots began in the Unix environment, in the last few years Nmap for Windows has been developed to allow its expansion into the Windows marketplace.

Nmap for Windows is powered by a cross-platform GUI known as Zenmap. When installing Nmap Zenmap gets automatically installed along with Winpcap (packet capture) software.

As this guide is about using Nmap for Windows, and most Windows users are more comfortable using a GUI, the steps below outline how to install Nmap and launch the Zenmap GUI.

Installing Nmap for Windows

1) The installer is available on the Nmap for Windows download page. This is a self-extracting binary file, and there are two options available, STABLE or DEVELOPMENT. I would recommend the STABLE release.

2) Run the installation file and accept the terms and conditions. Leave all the default selections on the next screen to ensure Nmap for Windows gets installed with the necessary files.

Note: If you receive error messages regarding Microsoft Visual C++ Redistributable Package (x86) being installed, you can press Ok and ignore these, as it most likely means you already have a version installed. If not you can grab the x86 and x64 editions (for 64bit versions of Windows) by doing a quick Google search for Microsoft Visual C++ Redistributable Package.

3) You will now have successfully installed Nmap for windows. You can access Nmap for Windows through the Start > Program Files > Nmap > Nmap – Zenmap GUI

Optional:

4) If you wish to use the command line version of nmap in windows you can now do so via the Windows command line. Simply go to start > run > cmd or put cmd in the search box, and bring up the command prompt. From there you can run Nmap on the command line in Windows.

Happy scanning!