Wednesday, March 26, 2014

Completely disable the Windows Error Reporting (WER) from of Windows 7 & 8.x,10

A complete guide to disable the Windows Error Reporting (WER) from of Windows 7 & 8.x, 10  

Step 1


  • Click on Start > Control Panel > Action Center > Change Action Center Settings.
  • Click on the "Problem Reporting Settings".
  • Select "Never Check for Solutions".

  • Click on OK to validate
  • Additionally : You can change this for all users as well by Clicking "Change report setting for all users".

Step 2


  • Click on Start > Run > Type "services.msc"
  • In the window that opens (Services), look for the following entry in the the right pane:
    • "Windows Error Reporting"
  • Double-click on this entry and set the "Startup type" status as "Disabled".



  • Click on OK to validate.


 Step 3 Double check this registry setting - EXHAUSTIVE

Best to do a search for Windows Error Reporting, and you find the key stems
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
Type "Regedit" and press "Enter."

Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error Reporting" and the above keys. 


Right-click "Disabled" and change the value from "0" to "1".


Next Key


Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error
Reporting/Consent"
       Set to 1            
             Consent\DefaultConsent REG_DWORD
Possible values: 
          1 - Always ask (default), 2 - Parameters only, 3 - Parameters and safe data, 4 - All data                
Next Key 

Navigate to "Hkey_users\S-1-5-19\Software\Microsoft\Windows\Windows Error Reporting/DefaultOverrideBehavior"
       Set to 1
          Consent\DefaultOverrideBehavior
REG_DWORD
Possible values:
0 - Vertical consent will override the default consent (default)
1 - Default consent will override the application-specific consent


Press the "Windows" key and "R" key simultaneously.

All Values Registry Values here ....

 Step 4  Disable Task Scheduler for Error Reporting Service



  • Open Task Scheduler and navigate to Task Scheduler (local) ->Microsoft->Windows->Windows Error Reporting




    Select on QueueReporting and Disable

  • Step 5 Permanently Disable Windows Error Reporting Service

To permanently Disable Windows Error Reporting Service, delete all keys under this folder LocalDumps.









    • Step 6 Clean these directories out


    C:\ProgramData\Microsoft\Windows\WER\ReportArchive

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue

    C:\Windows\LiveKernelReports\WATCHDOG




    Tuesday, March 25, 2014

    500 Internal Server Error on GoDaddy.com - no Options All allowed

    Getting a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

    If you are using GoDaddy.com here's a possible reason why -



    You cannot use Options modifier in .htaccess files with GoDaddy.com.

    Related : Apache Deb Box .htaccess file set-up alternative

    If you are modifying your .htaccess file for security purposes heavily on an Apache Box.

    If you getting this 500 Internal Server Error on other web hosting companies or your own Apache Dev box.

    Here's a possible work around.

    I noticed today that I receive the following error message in each page view error_log get written:
    Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden:
    /var/www/vhosts/domain.Ca/httpdocs/index.pl, referer: http://www.domain.ca/

    Workaround

    The error messages is to get a grip on a previously used by me without any problems possibility of under / etc/apache2/mods-enabled/dir.conf to change the order as in about

       DirectoryIndex at_domains_index.html  index.html index.php index.xhtml 
                      index.htm index.shtml index.cfm

    Saturday, March 22, 2014

    Finding and Removing Orphaned SIDs and Removing Account Unknown S-1-5-21 from Windows 7 & 8, Server 2012

    Dreaded Unknown Accounts - Have you been hacked?

    Do you get accounts like this showing up for file permissions on c:\Windows\Temp:
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)
    These are known as dreaded S-1-5-21 because the can be created on the fly by programs using a technique called impersonation.

    According to Microsoft (http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649) these are called SECURITY_NT_NON_UNIQUE S-1-5-21 SIDS are not unique.

    An attempt at an explaination is a follows of what SIDS are.

    security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has a unique SID issued by an authority, such as a Windows domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group.
    Windows security uses SIDs in the following security elements:
    SIDs have following format:

    S-1-5-21-527237640-484763769-1060284398-500


    • SID => S-1-5-21
    • Unique Identifier => 527237640-484763769-1060284398
    • RID => 500
    1. The "S-1" part refers to this being a version 1 Security Identifier. 
    2. The "5" identifies the top-level identifier authority as SECURITY_NT_AUTHORITY. 
    3. All Windows SIDs begin with "S-1-5"
    4. The first sub-authority is "21", which is SECURITY_NT_NON_UNIQUE, and means  indicates a domain id will follow. This means that the value of the SID is made unique by the addition of the RID value (the last part of the decimal format). 
    5. The next three sub authorities "527237640-484763769-1060284398" are 32-bit random numbers to uniquely identify the computer. 
    6. The final part of the SID is the Relative Identifier (RID) of the object. The local Administrator user on all computers has the same well-known RID, "500".

      Note: If the local computer SID prefix values are not unique, then local user accounts on two different computers can have the same objectSID. For example, the local Administrator user, which always has the same well-known RID value of 500, will have the same objectSID value on two different computers if the local computer SID prefix is the same. Permissions granted to one of these users will apply to the other by mistake.the The RID uniquely identifies an account or group within a domain. 

    This more focused SIDS and RIDS list available at http://msdn.microsoft.com/en-us/library/cc980032.aspx, and list SIDs in a table format

    ADMINISTRATOR
    S-1-5-21--500
    A user account for the system administrator. By default, it is the only user account that is given full control over the system.

    This gives a list of well known SIDS and RIDS, and commonly quoted on other sites
    http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx

    Still, I am stuck for my unknown soldier, the value of 1026 for the RID I cannot find.
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)

    Determine some quick SIDs on your computer from the Windows CMD line; 

    whoami /user - lists your logged-in username SID 
    whoami /groups - list user group permission as SIDs, see image below

    But this is not giving me a complete comprehensive list of SIDS. 

    But know I suspect 1026 is part of IIS installed on my computer, given natural progression of numbers, but it is not listed.

    If you suspect a you can try to do a reverse look-up of the SID.

    You can do the reverse, how 
    to determine Which Account a SID Belongs to by using a Powershell elevated script from http://technet.microsoft.com/en-us/library/ff730940.aspx.

    PS C:\>$objSID = New-Object System.Security.Principal.SecurityIdentifier `
        ("S-1-5-21-1796778222-299937555-3999959969-1026")
    $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
    echo $objUser.Value
    returned Some or all identity references could not be translated 
    or
    PS C:\> [wmi]"win32_SID.SID='S-1-5-21-1796778222-299937555-3999959969-1026'"
    __GENUS              : 2
    __CLASS              : Win32_SID
    __SUPERCLASS         : 
    __DYNASTY            : Win32_SID
    __RELPATH            : Win32_SID.SID="S-1-5-21-1796778222-299937555-3999959969-1026"
    __PROPERTY_COUNT     : 5
    __DERIVATION         : {}
    __SERVER             : HOGWARTS
    __NAMESPACE          : root\cimv2
    __PATH               : \\THUNDERBIRD-W7U\root\cimv2:Win32_SID.SID="S-1-5-21-1796778222-299937555-3999959969-1026"
    AccountName          : 
    BinaryRepresentation : {1, 5, 0, 0...}
    ReferencedDomainName : 
    SID                  : S-1-5-21-1796778222-299937555-3999959969-1026
    SidLength            : 28
    PSComputerName       : HOGWARTS
    Still the unanswered question remains, I cannot find this account but it exist.
    • Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026)
    Well what about the brute force approach enumerating all the SIDs on a computer?

    Helge Klein has tried to solve this in the following problem statement:

    "Due to a lack of visibility permission cleanup is performed far less frequently than it could, and probably should. As a result, ghost ACEs (permissions from deleted accounts) linger in the dark corners of the file system, threatening the unsuspecting admin with the horrors of unresolvable SIDs." http://helgeklein.com/blog/2012/07/finding-removing-orphaned-sids-in-file-permissions-or-busting-the-ghosts-built-into-windows-7/
    He create setACL, a tool to get identify, find SIDS relative to all programs and deleted accounts on your computer. 

    Running the the above script produced following output.

    So at least S-1-15-2-1 in above example I know is a legitimate account and not been hacked.

    Still I could not identify this account 
    Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026) directly - but I did find 1026!!!

    For the record this is a list of common SIDs I found using above setACL command.
    C:\Program Files\Common Files\Microsoft Shared\VGX
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\14\Data\MSSQL10.SHAREPOINT\MSSQL\Template Data
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1019   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\100\DTS\Binn
       DACL(pseudo_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1027   read_execute   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\90\Shared
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1028   read_execute   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Config
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Data
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSAS10_50.SQLDEVLOPER\OLAP\Log
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLDEVLOPER\Reporting Services\LogFiles
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1026   write+read+DELETE   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLDEVLOPER\Reporting Services\RSTempFiles
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1026   read_execute+write   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSRS10_50.SQLEXPRESS\Reporting Services\LogFiles
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1011   write+read+DELETE   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1006   read_execute   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1029   read_execute   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\DATA
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\FTData
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\JOBS
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1030   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLDEVLOPER\MSSQL\Log
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1029   full   allow   container_inherit+object_inherit
       S-1-5-21-1111111111-222222222-3333333333-1030   read_execute+write+FILE_DELETE_CHILD   allow   no_inheritance
       S-1-5-21-1111111111-222222222-3333333333-1030   read_execute+write+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
       S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   FILE_LIST_DIRECTORY+FILE_ADD_FILE   allow   no_inheritance
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1014   read_execute   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\DATA
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\FTData
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\JOBS
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1015   full   allow   container_inherit+object_inherit
    C:\Program Files\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Log
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1014   full   allow   container_inherit+object_inherit
       S-1-5-21-1111111111-222222222-3333333333-1015   read_execute+write+FILE_DELETE_CHILD   allow   no_inheritance
       S-1-5-21-1111111111-222222222-3333333333-1015   read_execute+write+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
       S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   FILE_LIST_DIRECTORY+FILE_ADD_FILE   allow   no_inheritance
    C:\Program Files (x86)\Common Files\microsoft shared\VGX
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Program Files (x86)\Microsoft SQL Server\90\Shared
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1005   read_execute   allow   container_inherit+object_inherit
       S-1-5-21-1111111111-222222222-3333333333-1013   read_execute   allow   container_inherit+object_inherit
    C:\Program Files (x86)\Microsoft SQL Server\90\Shared\ASConfig
       DACL(not_protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1013   FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+READ_CONTROL   allow   container_inherit+object_inherit+no_propagate_inherit
       S-1-5-21-1111111111-222222222-3333333333-1028   full   allow   container_inherit+object_inherit
    C:\ProgramData\Microsoft\eHome\SharedSBE
       DACL(not_protected+auto_inherited):
       S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   change+FILE_DELETE_CHILD   allow   no_inheritance
       S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   change+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
    C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
      DACL(pseudo_protected):
      S-1-5-80-1111111111-222222222-3333333333-4444444444-555555555   full   allow   container_inherit+object_inherit
    C:\ProgramData\Microsoft\Network\Connections
       DACL(protected+auto_inherited):
       S-1-5-80-31111111111-222222222-3333333333-164347954-1900376235   full   allow   no_inheritance
       S-1-5-80-31111111111-222222222-3333333333-164347954-1900376235   full   allow   container_inherit+object_inherit+inherit_only
    C:\Users\Public\Recorded TV
       DACL(not_protected+auto_inherited):
       S-1-5-80-1111111111-222222222-3333333333-1563395363-459793767   change+FILE_DELETE_CHILD   allow   no_inheritance
       S-1-5-80-1111111111-222222222-3333333333-1563395363-459793767   change+FILE_DELETE_CHILD   allow   container_inherit+object_inherit+inherit_only
    C:\Windows\Downloaded Program Files
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Windows\Globalization\ELS\HyphenationDictionaries
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Windows\Globalization\ELS\SpellDictionaries
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Windows\Offline Web Pages
       DACL(protected+auto_inherited):
       S-1-15-2-1   read_execute   allow   no_inheritance
       S-1-15-2-1   read_execute   allow   container_inherit+object_inherit+inherit_only
    C:\Windows\Temp
       DACL(protected+auto_inherited):
       S-1-5-21-1111111111-222222222-3333333333-1011   read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   allow   container_inherit+object_inherit
       S-1-5-21-1111111111-222222222-3333333333-1026   read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   allow   container_inherit+object_inherit
    SetACL finished successfully.
    So the in the above output there are three records ending with 1026. and the last one is revealing since it it begins with same SID=S-1-5-21 and RID=1026 as in our unknown account. But the 3 sub authorities numbers 
    1111111111-222222222-3333333333 is supposed to be random and this is not! 
    LOOKS LIKE THIS IS HACKED ACCOUNT - THIS IS NOT GOOD!
    At least this unknown account looks normal;   
    Account Unknown (S-1-5-21-1796778222-299937555-3999959969-1026) 
    and we have a match kinda. At least we can at a least get permissions of this owner and some programs that use it. 
    Account Unknown w/ DACL (protected+auto_inherited) S-1-5-21-<>-1026
    File Permission  read_execute+FILE_ADD_FILE+FILE_ADD_SUBDIRECTORY+DELETE   allow container_inherit+object_inherit
    
    
    
    
    
    Let's now check these suspect SIDS

    Get-Acl "C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System" | Format-List
    Path   : Microsoft.PowerShell.Core\FileSystem::C:\ProgramData\Microsoft\Microsoft Antimalware\Network Inspection System
    Owner  : NT AUTHORITY\SYSTEM
    Group  : NT AUTHORITY\SYSTEM
    Access : S-1-5-80-1469974279-1943423511-1205514815-3290109594-1875557445 Allow  FullControl
             NT AUTHORITY\SYSTEM Allow  FullControl
             BUILTIN\Administrators Allow  FullControl
    Audit  : 
    Sddl   : O:SYG:SYD:(A;OICI;FA;;;S-1-5-80-1467924279-1943423510-1205514805-3190109594-1875307435)(A;OICIID;FA;;;SY)(A;OIC
             IID;FA;;;BA)

    Well I did not find 1111111111-222222222-3333333333.

    How to reset ACL for a directory

    How to add back inheritance to ACL for that directory.


    Well turns out these did now work either to reset some files, so back to another method.

    Tried to use free resource toolkit tool SIDwalker and Showaccs but did not produce any results on Windows 7.

    Ultimately, I headed back to SysInternals and found a tool called AccessEnum v1.32

    AccessEnum
     gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary. Voila !

    But the results of that are in my next post, Using AccessEnum to hunt down unkown file SIDs


    Feb 1, 2017 Update

    Well known SIDS
    https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems

    .HIDDEN REGISTRY KEYS - SECURITY & SAM
    Some of the security and core system related keys are hidden from user even when part of an administrator group cannot see these special keys.

    Here are some of the such hidden registry keys

    HKEY_LOCAL_MACHINE\SECURITY
    HKEY_LOCAL_MACHINE\SAM

    SECURITY registry key stores all the system policy and LSA secrets related information.  SAM registry key has details for user accounts along with LM/NTLM password hashes for each user.

    There are many ways we can view these hidden registry keys. We can use psexec.exe tool (part of pstools package from sysinternals) to launch the regedit.exe as system account as shown below.
    psexec.exe -s -i regedit.exe

    HKEY_LOCAL_MACHINE\SECURITY - now you can explore SIDs ! 


    You can delete SIDS using the following technique;

    https://helgeklein.com/blog/2012/07/finding-removing-orphaned-sids-in-file-permissions-or-busting-the-ghosts-built-into-windows-7/





    Wednesday, March 19, 2014

    Wordpress News/Blog contains funny characters, your site has been hacked

    If you are finding weird characters in the Wordpress News Blog roll, then your has been hacked. An example is; 

    I+ACYAIw-8217+ADs-m excited to announce that the first beta of WordPress 3.9 is now available for testing. WordPress 3.9 is due out next month +ACYAIw-8212+ADs but in order to hit that goal, we need your help testing all of the goodies we+ACYAIw-8217+ADs-ve added: We updated TinyMCE, the software powering the visual editor, to the latest version. +AFsAJgAj-8230+ADsAXQ- […]

    or you see those characters in the title tag of your site, hackers have gotten into your site and/or guessed your password. See more information on latest attack here - http://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html

    There are many, resolutions but even after this http://codex.wordpress.org/FAQ_My_site_was_hacked and many more recommendation using Google search about this. 

    You may see these I+ACYAIw-8217+ADs-m still appear. An analysis of several sites, indicates that this has been caused by a change in a database setting. These strings are stored in your MySQL database and once corrupted remain there. 


    This is because a change to using UTF-7 instead of UTF-8. See below for changes back to UTF-8.You may have to convert old database fields into the new characters set, see below for a solution. 

    But for WordPress New RSS Blog entries from the mother-ship,  these entries which are stored in WordPress as transients. You can just blow of them off, and delete them.

    Here is an excellent plug-in to just that. Delete all transients 
    http://wordpress.org/plugins/delete-expired-transients/

    Actually you can create a schedule task to do this periodically. 

    To be thorough, you may want to check these settings.
    1. Check the DB_CHARSET constant in wp-config.php, it may read utf-7 change to utf-8.
    1
    2
    3
    /** Database Charset to use in creating database tables. */
    define('DB_CHARSET', 'utf8'); define('DB_COLLATE', '');
    2. In the WordPress admin menu, Change “Settings->Reading->Encoding for Pages and Feeds” from UTF-8 from UTF-7

    Following the above bad advice might appear to ‘fix’ the appearance of some languages, but others will still display incorrectly. Furthermore, these changes will cause your text to be encoded incorrectly, so that when you do implement the correct fix, your foreign-language pages will have bad character mappings and be filled with incorrect characters. You will then have to correct or re-enter the text from scratch.

    If you found unusual characters in your database, try this...

    To fix this problem, you need to change the default character set/collation of your WordPress site’s MySQL database to UTF-8/utf8_general_ci and then convert all the current table data.
    The traditional way to do this is to run various “ALTER DATABASE” and “ALTER TABLE” SQL queries within phpMyAdmin or via the command-line mysql client, and you can find some great instructions here:
    http://en.gentoo-wiki.com/wiki/Convert_latin1_to_UTF-8_in_MySQL

    Unfortunately, this procedure is tedious.


    There is however a fantastic plugin named Convert WP Database to UTF-8. This plugin adds a sub-menu page named “UTF-8 DB Converter” to the Plugins Menu. Simple click on “Start converting” and the plugin will automatically execute the required SQL queries to alter the character set and collation of all your existing WordPress tables.


    You only need to do it once per website, and the problem is fixed for good. You can then uninstall the plugin.
    Although this plugin has always run without a hitch for me, it is proper practice to make a backup of your WordPress database before attempting this procedure, just in case something goes wrong. Most web hosts provide wizards that let you easily backup your MySQL databases, but you can do this using phpMyAdmin or a WordPress plugin like

    Also, you should place your website in maintenance mode using a plugin like WP Maintenance Mode to stop users accessing your website while the character set conversion is in progress. The time taken will vary depending on how big your database is, but for me, the conversion has always been completed in less than 1 minute.

    Additional reading
    Technical 
    http://joemaller.com/1328/fixing-mixed-encoding-mysql-dumpfiles-with-wordpress/
    Easy to read
    http://digwp.com/2011/07/clean-up-weird-characters-in-database/