![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I
Ice Czar
Guest
This will keep most malware from disguising itself as something else
which then tricks you into executing it
Unless your in the habit of clicking any old file,
an .exe extension would likely give you pause,
especially if your not so sure of the source, but what if it was just a .txt file?
thats safe isnt it?
NO, well not till you do the following
Unhiding Part 1
Start > Programs > Accessories > Windows Explorer > Tools > Folder Options > View Tab
Check Show Hidden Files and Folders
Uncheck Hide file extensions for known file types
Uncheck Hide protected operating system files
while Im here I also
Check Display full path in the address bar
Check Display full path in title bar
(personal preference but a useful navigational aid)
HotTweaks.txt could actually be a dual extention HotTweaks.txt.exe
same goes for .mpg, .avi, ect, and could disguise .exe, .vbs or other real file extentions
that is till you do the above, however there are still some files that are hidden by default .shs, .shb, .pif files for instance and these are potentially dangerous
a few more
.cnf SpeedDial (Extension not visible)
.lnk Shortcut (Extension not visible)
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif Shortcut to MS-DOS Program (Extension not visible)
.scf Windows Explorer Command (Extension not visible, generic icon)
.shb Shortcut into a document (Extension not visible)
.shs Scrap object (Extension not visible)
.uls Internet Location Service (generic icon)
.url Internet Shortcut (Extension not visible)
.xnk Exchange Shortcut (Extension not visible)
with the exception of .url all pretty strange extentions for most of us
simply that till now they have been hidden
so you can still end up with a worm that is for instance HotTwaeks.txt.pif
(which is similar to a bat file, and could exectute code in the file via DOS)
or an .shs file (Shell Scrap Object) which is a type of "wrapper" for embedded objects, including .exe files calls on shscrap.dll, OpenScrap_RunDLL
Unhiding Part 2
for this youll need to use the registry editor
Start > run > (type) regedit
in the tree to the left select > HKEY_CLASSES_ROOT
then on the toolbar at the top > Edit > Find > and type > NeverShowExt
select the Key in the right panel "NeverShowExt" (highlighted)
and on the top toolbar > Edit > Delete >
"Are you sure you want to delete this value?" > Yes
and repeat till you cant find any more > Edit > Find Next >
(should be highlighted) Delete > Repeat till done
(note this process actually turned up my search queries for that key under my google deskbar (HKEY_SOFTWARE) as entered into the registry, no real need to delete those )
Part 3 rename shscrap.dll
The Story
in short, now that your actually able to see a .shs or .shb files thay arent all that dangerous
unless of course they get triggered some other way and its still able to run
to disable that all together, simply rename shscrap.dll
Start > Search > shscrap.dll > RClick > rename > shscrapold.dll
(all instances)
there arent a whole lot of aps that would be employing it (Windows 3.1 holdover)
but remember it in case a problem develops with an ap, easy enough to rename them back
but Ive had no aps effected at all
which then tricks you into executing it
Unless your in the habit of clicking any old file,
an .exe extension would likely give you pause,
especially if your not so sure of the source, but what if it was just a .txt file?
thats safe isnt it?
NO, well not till you do the following
Unhiding Part 1
Start > Programs > Accessories > Windows Explorer > Tools > Folder Options > View Tab
Check Show Hidden Files and Folders
Uncheck Hide file extensions for known file types
Uncheck Hide protected operating system files
while Im here I also
Check Display full path in the address bar
Check Display full path in title bar
(personal preference but a useful navigational aid)
HotTweaks.txt could actually be a dual extention HotTweaks.txt.exe
same goes for .mpg, .avi, ect, and could disguise .exe, .vbs or other real file extentions
that is till you do the above, however there are still some files that are hidden by default .shs, .shb, .pif files for instance and these are potentially dangerous
a few more
.cnf SpeedDial (Extension not visible)
.lnk Shortcut (Extension not visible)
.mad Microsoft Access Module Shortcut (Extension not visible)
.maf Microsoft Access Form Shortcut (Extension not visible)
.mag Microsoft Access Diagram Shortcut (Extension not visible)
.mam Microsoft Access Macro Shortcut (Extension not visible)
.maq Microsoft Access Query Shortcut (Extension not visible)
.mar Microsoft Access Report Shortcut (Extension not visible)
.mas Microsoft Access StoredProcedure shortcut (Extension not visible)
.mat Microsoft Access Table Shortcut (Extension not visible)
.mav Microsoft Access View Shortcut (Extension not visible)
.maw Microsoft Access Data Access Page Shortcut (Extension not visible)
.pif Shortcut to MS-DOS Program (Extension not visible)
.scf Windows Explorer Command (Extension not visible, generic icon)
.shb Shortcut into a document (Extension not visible)
.shs Scrap object (Extension not visible)
.uls Internet Location Service (generic icon)
.url Internet Shortcut (Extension not visible)
.xnk Exchange Shortcut (Extension not visible)
with the exception of .url all pretty strange extentions for most of us
simply that till now they have been hidden
so you can still end up with a worm that is for instance HotTwaeks.txt.pif
(which is similar to a bat file, and could exectute code in the file via DOS)
or an .shs file (Shell Scrap Object) which is a type of "wrapper" for embedded objects, including .exe files calls on shscrap.dll, OpenScrap_RunDLL
Unhiding Part 2
for this youll need to use the registry editor
Start > run > (type) regedit
in the tree to the left select > HKEY_CLASSES_ROOT
then on the toolbar at the top > Edit > Find > and type > NeverShowExt
select the Key in the right panel "NeverShowExt" (highlighted)
and on the top toolbar > Edit > Delete >
"Are you sure you want to delete this value?" > Yes
and repeat till you cant find any more > Edit > Find Next >
(should be highlighted) Delete > Repeat till done
(note this process actually turned up my search queries for that key under my google deskbar (HKEY_SOFTWARE) as entered into the registry, no real need to delete those
) Part 3 rename shscrap.dll
The Story
in short, now that your actually able to see a .shs or .shb files thay arent all that dangerous
unless of course they get triggered some other way and its still able to run
to disable that all together, simply rename shscrap.dll
Start > Search > shscrap.dll > RClick > rename > shscrapold.dll
(all instances)
there arent a whole lot of aps that would be employing it (Windows 3.1 holdover)
but remember it in case a problem develops with an ap, easy enough to rename them back
but Ive had no aps effected at all