windows, pcs, operating systems, virus, errors, bugs, trouble shooting computers

lock the taskbar option not working?

2009-10-13T00:43:00.000-07:00

it may some times caused due to the option has "greyout"

so to make it enable we should edit the registry

goto->start->run->regdit->

then HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\explorer

delete the locktaskbar key

Networking error 71

2008-07-29T23:32:00.001-07:00

Error 71
1. Is someone connected as you? Been giving out your password?

2. Were you disconnected all of a sudden before this happens? You could be 'ghosted' on the server. The ISP can usually "bump" the 'ghost' off through radius.

How to fix Network error 20?

2008-07-29T23:30:00.000-07:00

Error 20

1. Make sure the correct modem is selected.

2. Does the modem respond to diagnostics? It may need to be reinstalled.

3. Is RNAAPP loaded into memory after closing the dialer? If so try the RNAAPP fix.

4. Reinstall NCP/DUN/RAS.

2008-07-29T23:26:00.000-07:00

Dial-Up Networking Errors(DUNS)

Windows 95, 98, Me, NT, 2000, XP, and Vista.

In later versions of operating systems (NT, 2000, XP and Vista) some of the errors can occur for connections other than traditional dial-up modem connections: they may occur with DSL and VPN (virtual private networking) connections that do not involve dial-up.

NOTE: Some solutions indicate to re-install DUNs and/or TCP/IP. See this Microsoft KB article for Win 95/98 instructions to Remove & Re-install DUNS & TCP/IP. Newer versions of Windows don't allow DUNS uninstall: see Reset DUNS (TCP/IP) in Windows 2000 & XP.

Windows Vista: Dialing directly from the 'Connect To' menu or other shortcuts will not display DUNs error codes - instead, particularly large and unhelpful dialog boxes are shown as detailed here. In order to see any DUNs error codes, you must dial from the 'Manage Network Connections' Window.

Connectoids. In many cases, DUNs Errors can be solved by correcting the properties for your dial-up networking connections.

ERROR 50 - The request is not supported.

600 - An operation is pending.

601 - The port handle is invalid.

602 - The port is already open.

603 - Caller's buffer is too small.

604 - Wrong information specified.

605 - Cannot set port information.

606 - The port is not connected.

607 - The event is invalid.

608 - The device does not exist.

609 - The device type does not exist.

610 - The buffer is invalid.

611 - The route is not available.

612 - The route is not allocated.

613 - Invalid compression specified.

614 - Out of buffers.

615 - The port was not found.

Network Cable Unplugged Errors in Windows

2008-07-29T23:23:00.000-07:00

Network Cable Unplugged Errors in Windows

If your network is not functioning properly, you may see "A Network Cable Is Unplugged" messages appear repeatedly on the Windows desktop. Messages may pop up on the screen once every few days or even once every few minutes depending on the nature of the problem. This can occur even if you are using a WiFi wireless network. How can this problem be fixed?
-------------------------------------------------------------------------------------
Several possible causes of "A Network Cable Is Unplugged" messages exist. The error message appears on a computer when an installed Ethernet adapter is seeking to make a network connection.

Disable the Ethernet network adapter if you are not using it. This applies, for example, when running a WiFi home network with computers that have built-in Ethernet adapters. To disable the adapter, double-click the small Network Cable Unplugged error window and choose the Disable option.

Check both ends of the Ethernet cable connected to the adapter to ensure they are not loose.

Replace the Ethernet cable with a different one to verify the cable is not damaged.

Update the network adapter driver software from the manufacturer's Web site.

Change the Link Speed and Duplex settings (using Device Manager) to use "100 Mbps Full Duplex" or "10 Mbps Full Duplex" instead of Auto Detect.

Replace the Ethernet network adapter if it is a removable PCI or PCMCIA card. First remove and re-insert the existing adapter hardware to verify the card is connected properly. If necessary, also replace it with a different card.

The device your Ethernet adapter is connected to, such as a broadband modem or network router may be malfunctioning. Troubleshoot these devices as needed

why my system restarts frequently?

2008-07-24T00:45:00.000-07:00

Baby, It's Hot in There
Sometimes this can be caused by an overheating situation. Itunes, RealPlayer, Windows Media player, etc. require a lot of processing power to decompress and decode music files, which can cause the processor or hard drive to get hot.

If your CPU is running at over 60 degrees (C) you might be at risk of burning it out. Some systems shut down automatically when the temperature reaches an unsafe level. Every few weeks I open my system unit and clean the fins on the heat sink that sits under the CPU. When they collect dust it restricts the airflow and prevents proper cooling. You can use a can of compressed air (look at your local office supply store) or an old toothbrush. I just did that on my system and the CPU temperature dropped by ten degrees!

Download the free Speedfan utility and it will tell you the temperature at which your CPU and hard drives are running.

Memory Fails Me...
If you determine that overheating is not the problem, the most likely suspect is bad memory. Trying to access a bad spot in your system memory (RAM) can cause the computer to freak out and restart. The best way to find the culprit is to pop open the system unit, remove (or replace) one RAM stick and see if the problem is solved. Run your system for a while and if the problem goes away, you win! If not... lather, rinse and repeat for each RAM stick until you find the one that's misbehaving.

Don't Do Me Any Favors
There's a setting buried in Windows XP that tells your computer to restart when a system error occurs. If you turn off that option, you may solve your automatic reboot problem.

Click Start, then open Control Panel

Click Performance and Maintenance

Click System

Click on the Advanced Tab

Click Settings in the Startup and Recovery section

Uncheck Automatically Restart in the System failure section

Note that this may prevent the system from restarting, but it can also mask the true problem. As an alternative to this measure, consider what has recently changed on your system. If you have installed new hardware or software, remove it and see if the annoying restart persists. Sometimes downloading the latest driver software from the manufacturer's website will fix hardware incompatibility problems that cause restarts.

Computer Restarts After Download?
Some folks have written to me complaining that their computer automatically restarts itself after every download. And interestingly, most (if not all) mentioned they were using the Firefox browser. If you are using a download manager or download accelerator, this could be causing the problem. Check all the settings in the download manager and tweak if necessary. Or get rid of the download manager and see if the problem remains.

This can also be a virus or spyware problem. I suggest you go through your Control Panel / Add or Remove Programs list and remove any programs you don't need, then run thorough anti-virus and anti-spyware scans. It could even be your anti-virus program fighting with the browser or download manager. Switching to a new anti-virus might help also. See my recommendations for the best free anti-virus software for help with that.

Other Things to Consider
Failing or under-rated power supplies can also cause your computer to restart at seemingly random intervals. Switching out a power supply is really not too hard. Turn off the computer, open the case, disconnect the power cable from the power supply to the motherboard. Unscrew the power supply from the case, and reverse the process to install a new power supply. A 300-watt power supply will be fine in most computers.

And as one reader kindly pointed out, bad capacitors on the motherboard can also cause random reboots. But unless you're kinda geeky and handy with a soldering iron, it's tough to identify and fix this problem. You can find lots more helpful info on bad capacitors at badcaps.net. For most mere mortals, replacing the motherboard as a last resort will be easier than replacing a capacitor.

I also encourage you to read ALL of the comments below, before you rip your hair out, or rip your computer to shreds. It boils down to this... most restart problems are caused by overheating, bad ram, malware, or some other failing component. It can be difficult and time-consuming to identify WHICH of those things is the culprit. The only good solution is to test each one, in sequence (removing and replacing components if necessary), to identify the problem.

how to save life of the battery of Vista operated Laptop?

2008-04-15T11:00:00.000-07:00

Now a days those who by Laptop computers they are using Windows Vista Operating System.

In this WindowsVista there is Aerouser interface, Windows Slidebar features. Because of this bettery life gets down.

so go for this url http://www.codeplex.com/vistabattery there will be a programme named vista Battery saver download that programme it will give u a different type of power files that u can install in u'r laptop . this will give good backup for the batt
ery

Use this for changing XP boot screen

2008-04-15T10:39:00.000-07:00

Now a days all are using some sharewares that change the boot screens.

But after unsinstallong these there is a way of not booting also and the system kernell may be currupted.

There is a good way to solve these

use http://www.stardock.com/products/bootskin/index.asp

in this url you can get Bootskin programe for free.

after installing it go to http://www.wincustomize.com/Skins.aspx?LibID=32 for getting screens

Hide RunAs option in Context menu after right clicking an application

2008-04-14T10:38:00.000-07:00

you all know when u run an application by your mouse right click like this

this options appear so to desable these options u can modify registry like this

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer

go to Hide RunAsVerb

create a DWORD and give the valu as 1
then u can remove Runas option in context menu

u can see Run only

Puper (virus or Torjan) showing video of former pakisthani prime minister benezer Butto killing

2008-04-03T03:12:00.000-07:00

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto. For more information on this threat, please see the Avert Blog.

--------------------------------------------------------------------------------
The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory. Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters. This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added
%SystemDir%\intmon.exe (2 KB)
%SystemDir%\hp8af9.tmp (51 KB)
%SystemDir%\hhk.dll (6 KB)
Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp
Registry

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\Explorer\run
"notepad2"=%original file%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"provider"=""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
HKEY_CLASSES_ROOT\HP.1\CLSID
"default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
HKEY_CLASSES_ROOT\HP.1
"default"="HP Class"
HKEY_CLASSES_ROOT\HP\CurVer
"default"="HP.1"
HKEY_CLASSES_ROOT\HP\CLSID
"default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
HKEY_CLASSES_ROOT\HP
""="HP Class"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
"" = "VMHomepage"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
"" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
"(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
HKEY_CLASSES_ROOT\CLSID\VMHomepage
"CurVer" = "VMHomepage.1"
HKEY_CLASSES_ROOT\CLSID\VMHomepage
"CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
The following registry keys are modified:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"

Symptoms -

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction

Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob

2008-04-03T03:03:00.001-07:00

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob
Characteristics
Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe
Symptoms
The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection
The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov.
hotmail iana ibm.com
icrosof ietf inpris isc.o
isi.e
kernel linux math mit.e, mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secure sendmail sopho syma tanford.e, unix usenet utgers.ed, Additionally,
the worm contains strings,
which it uses to randomly generate,
or guess, email addresses. These are prepended as user names to harvested domain names:

sandra, linda ,julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.

W32/Zhelatin.gen!eml

2008-04-03T02:56:00.000-07:00

This is a generic detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.
On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
The script which is used for the drive-by download is detected as JS/Downloader-BCZ.

Characteristics -
This threat is updated on a daily basis.
For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.

User receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard.
On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
A copy of the spammed message is as follows:
Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected.
The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.The following list of subject lines have been observed in the wild:

You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partnerCustomers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal - A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations

what iis Sohanad.AE

2008-04-01T11:21:00.000-07:00

Sohanad.AE is a worm. The worm will infect Windows systems and spreads through Yahoo! Messenger, a popular instant messaging application.

The worm arrives as a downloaded file via Yahoo! Messenger.

Upon execution, this worm copies itself as SVHOST32.EXE and SVHOST.EXE in the Windows folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger.

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager.

It also changes the Internet Explorer (IE) home page to;

http://(BLOCKED)coolpics.net

This worm propagates via Yahoo! Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.

The details of the message sent out by this worm are;

Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon ;))
:D who is beside you in this pic http://thecoolpics.net/friendpic1.jpg so good-looking
:( the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg << :(
Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !! <<
oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<

It also attempts to connect to the following website to download and execute some malicious files.

http://{BLOCKED}vey-sales.com/ipn/transactions/en.exe
http://{BLOCKED}vey-sales.com/ipn/transactions/link-en.exe

The worm tries to terminate some of the security related processes.

This worm first appeared on November 12, 2006.

what is Nhatquanglan Virus?(newfolder.exe, dos.com)

2008-04-01T11:07:00.000-07:00

A Nhatquanglan Virus?

Sit along with me as you discover what are the three filesjavascript:void(0)
Publish Post that make up a Nhatquanglan virus infection and how you can protect yourself from a possible threat to your personal security. A Nhatquanglan Virus is a really annoying virus that takes away your power over your PC by blocking important programs from running.

It disguises itself as a folder but is actually a program that sends out your personal information over the internet for everyone to see. You may or may not have a Nhatquanglan virus on your PC yet, but to be safe, it would be wise for you to discover how it can affect you and ways on how to protect yourself.

When you forgot to take care, below are just some of the ways this virus can affect you.

Nhatquanglan Virus blocks Device Manager

Device Manager is the page where you manage everything that is connected to your PC. This includes hard disk drives, modems, printers, monitors - you name it, it’s there. You use this to replace old software that makes a particular computer part work, or to change hardware settings, add a new piece of hardware, or to stop it from working completely and more.

Aside from this, Device Manager is usually the place where tech support tells their clients to go when dealing with problems with their PC’s. When you are infected by a Nhatquanglan virus, all your power to change the settings of the peripherals on your PC is gone. Now, when a modem does not work, you cannot check what is wrong with it - and you can’t connect to the internet either.

Nhatquanglan Virus and Task Manager

Aside from not letting you use your PC’s Device Manager, there are other ways that this virus can give you a hard day. When your PC is infected with a Nhatquanglan virus, and a program that you are using has crashed or hanged, you no longer have the power to “kill” the offending program because the Nhatquanglan will not let you use Task Manager - one of the useful tools included with your Windows installation.

Because you cannot use Windows Task Manager, you cannot lock your PC everytime you take a break - making it possible for everyone to look at what you are doing. There are other ways that a Nhatquanglan virus can give you a bad day and some of it, you might not want to know.

Let’s not talk about how annoying a Nhatquanglan virus is anymore - I think you already have an idea. If you want more, here is a list of annoyances it can give you - or you can just say goodbye to these problems by getting rid of a Nhatquanglan virus right now.

* It does not allow you to run Regedit to change Windows XP registry settings.
* It will not allow you to run the Command Prompt, where some of the more important Windows XP commands can only be used.
* It will not allow you to change File Type Extensions. Too bad, you can use this tweak to make Microsoft Excel 2007 start faster.
* You cannot change a folder to be hidden or not - you just cannot do that because it takes away the Folder Options.
* It can infect other PCs as well - annoying if you are on a network. It can also transfer itself to thumb drives (Ipods, Flash disks, etc).

Nhatquanglan Virus Files

There are files that you need to remove for you to get rid of a Nhatquanglan virus infection. And they are:

* blastclnnn.exe
* scvshosts.exe
* hinhem.scr
* New Folder.exe

Did you know that you can do a simple test to see if your PC is infected with a Nhatquanglan virus? And as you go along reading this article, you’ll find out for yourself.

For you to be protected, I believe that it is important that you know more about this virus - this will give you the necessary information you need in case you or your friend do get infected.

You have already discovered how a Nhatquanglan virus can annoy you. Now discover how this virus works…
How A Nhatquanglan Virus Ruins Your Day

The Nhatquanglan disguises itself as a folder inside the folder that it has infected. Too confusing? Let me put it this way: Suppose you have a folder named CLEAN. The virus will make copies of itself on the CLEAN folder using CLEAN as its name. Now, you have a program named CLEAN on the CLEAN folder.

Here’s a tip: To tell if it’s a program and not a real folder, hover your mouse over it and look at the tool tip that pops up.

If it’s a real folder, it must not show the word “File Version:” If it does, do not open or double click it!! That might be a Nhatquanglan virus!

Nhatquanglan Virus Removal Instructions

What I am about to reveal to you is how I got rid of a Nhatquanglan infection using only one free tool that you can download over the Internet.

This fix worked for me but yours may vary - use the guide I am about to give at your own risk. Or, avail of those software that scans your PC for viruses and have it scanned for you.

To start, you need to have a copy of ComboFix saved on your PC. ComboFix scans your drive for possible infections and tries to delete the three hidden files that the Nhatquanglan uses to make copies of itself. ComboFix is a free tool.

Avail of your copy and save it on your hard drive and remember where you saved it. For this guide, I am assuming that you have saved it on the C:\ drive.

Restart your PC in Safe Mode. You do this by pressing the F5 key when your pc starts. You need to use Safe Mode with Command Prompt. Don’t mind the list of files that Windows Xp loads as it starts.

Now, while at the Command Prompt, you need to use the ComboFix program by typing (without the quotes): “combofix”And hitting the Enter key.ComboFix will now do its job - scanning your PC for Nhatquanglan infections. Just follow what ComboFix says. After it finishes, the file which shows you what ComboFix had done will open up.

You may read it if you like, but most of them are jargons. Hopefully, Combofix has cleaned your PC of a Nhatquanglan virus infection - but to be sure you need to do some last minute cleaning.

I’ll reveal to you what you should do…

Go to the Command Prompt and do the following (without the quotes), hitting the Enter key after each command:

“cd \”

“del c:\windows\system32\scvshosts.exe”

“del c:\windows\system32\blastclnnn.exe”

“del c:\windows\hinhem.scr”

What you just did is deleted the three Nhatquanglan files. Take note of the spelling specially scvshosts.exe. This is different from svchost.exe which is an important Windows XP file!

You also need to remove a task that is scheduled by the Nhatquanglan virus. This virus adds one task to the Task Scheduler - so everytime you open up your PC, it executes this task, which is to make copies of itself. This is how it manages to appear again and again even if you managed to delete the three nhatquanglan files: scvshosts.exe, blastclnnn.exe and hinhem.scr. To remove the scheduled task, you need to take a peek at the lists. You do this by going to the Command Prompt and typing the following command (without the quotes):

“cd \”
“cd windows\tasks”
“del *.job”

Note: The last command above deletes everything in the Windows\Tasks folder. If you have tasks scheduled and you do not want them to be deleted, you need to manually check each one. A scheduled task that has scvshosts.exe as the program to be performed, needs to be deleted.

When all is ok, you may now restart your PC. Hopefully, you can now use the Task Manager, Device Manager, Folder Options and other commands in Windows XP. Remember the trick I told you about on how to see if there is a Nhatquanglan virus on your PC? I’ll reveal it to you now…

As a preventive measure, you might want to change how your files show when you explore them on your PC. Set them to Details.

That’s all there is to it. Now, when you glance at the folder name, also take a look at its Type column. If the picture of the folder is a folder but under the Type column it reads Application, you might want to reconsider opening it. It might be a virus… just waiting to pounce on you.
Tips On How to Prevent Future Virus Infections

After you have successfully removed a Nhatquanglan virus infection, it would be wise to take extra measures to prevent this virus from infecting your PC again. A simple change in surfing habits - such as looking out for suspicious sites, can dramatically decrease your chance of getting one of these viruses.

A Nhatquanglan virus can also spread itself via your thumb drive such as an Apple Ipod, etc. Speaking from experience, I would recommend that you install reliable software that monitors and protects your PC from viruses.

Your best bet would be an anti-virus and a firewall. The anti-virus is to help detect a virus as it moves, giving you the option to delete it or put it in a quarantine so it won’t infect other files.

A firewall blocks suspicious incoming connections to your PC - pretty much how a Nhatquanglan managed to infect your PC. Having a copy of an anti-spyware/malware can also help a lot.

Tool for opening task manager and regisryeditor when virus effects

2008-04-01T10:50:00.000-07:00

If your systems Task manager ,Registry are disabled by any Viruses such as sohanand,Nhatquanglan i.e,, Heap41 virus and Newfolder.exe you can use the following tool for recovering the teask manger and registry

http://luqsoft.com/diskheal

after using this tool u must remove that virus.this tool is only for recovering the required TskManager and regedit

W32/Mytob.gen@MMType Virus

2008-03-30T00:29:00.000-07:00

W32/Mytob.gen@MMType Virus SubType Email Generic Discovery Date 03/02/2005 Length Varies Minimum DAT 4438 (03/02/2005) Updated DAT 5249 (03/11/2008) Minimum Engine 5.1.00 Description Added 03/02/2005 Description Modified 05/18/2005 12:08 PM (PT) Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User Low
Home User Low Tab Navigation
Overview Characteristics Symptoms Method of Infection Removal Variants All Information Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob Characteristics

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe
Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants
Variants
N/A

All Information
Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob
Characteristics
Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe

Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

You may be a victim of software counterfeiting.

2008-03-30T00:18:00.000-07:00

You may be a victim of software counterfeiting.

Microsoft has finally activated the most aggressive part of their Windows Genuine Advantage program -- active notifications.

After downloading the latest Windows updates, if your Windows cd-key doesn't validate against Microsoft's online database of cd-keys, you may be greeted with this unpleasant five-second mandatory delay dialog at the login page:

This copy of Windows is not genuine. You may be a victim of software counterfeiting. This copy of Windows is not genuine and is not eligible to receive the full range of upgrades and product support from Microsoft.

On top of that, you get a repeating balloon notification that nags you periodically while you use the operating system:

You may be a victim of software counterfeiting. This copy of Windows is not genuine. Click this balloon to resolve now.

The warnings also get more dire as time progresses:

This copy of Windows is not genuine and you have not resolved the issue. This computer is no longer eligible to receive select security upgrades from Microsoft. To protect your computer, you must click Get Genuine now.

The language here is a little misleading. Microsoft is socially obligated to provide critical security updates to pirated machines. Otherwise those vulnerable machines will eventually be compromised and potentially used in denial of service attacks and other nefarious schemes. Microsoft does provide so-called "critical" updates to all Windows machines, regardless of whether or not they're genuine.

This is all courtesy of the mandatory "Windows Genuine Advantage Notification" service that is being delivered now through Windows Update. This isn't just a service you can disable, or a process you can kill in task manager, either. You'll have to install some kind of questionable third-party hack to get around it.

I suppose it's only malware if you're a pirate. What's a poor, beleaguered user to do? Microsoft offers five options:

1. Purchase a valid Windows XP cd-key online from Microsoft.
2. If you can produce high-quality counterfeit media, along with a proof of purchase, you can get a free replacement key from Microsoft.
3. Contact your reseller for redress.
4. Purchase Windows XP from a local OEM reseller.
5. Purchase Windows XP at a retail location.

Notice the word "Purchase" appears in three of those five options. There's almost no way to finagle a free cd-key out of this.

BIOS Explained

2008-03-08T03:14:00.001-08:00

BIOS Explained

Every computer has BIOS (Basic Input/Output System) that runs a diagnostic test each time the computer boots up. Before it launches the operating system, the BIOS checks to make sure all the hardware is working. It then works with the computer’s hardware components with the operating system.

The BIOS is stored in a ROM chip that is on your motherboard. PCs built in the past couple of years use flash BIOS, which means the BIOS is on a flash ROM chip. These chips are more easily updated than regular ROM chips. ROM is an ideal place for the BIOS because it is on a safe place on the motherboard where it is not vulnerable to drive failures. However, because ROM is slower than RAM, newer computers copy the BIOS from ROM to RAM during the startup process. This process is called shadowing, and it improves the performance of your PC.

The diagnostic test that the BIOS performs is a POST (power on self test) for the keyboard, drives, ports, chips, and all other components in the system to make sure they are working correctly. You can see and hear the BIOS performing this POST during your system’s startup process. One long beep means the BIOS successfully completed all the hardware tests. A combination of shorter beeps indicates a number of different errors. (See the Common Error Messages section for more information.) A healthy system BIOS will display information about the computer, including the amount of RAM, the number of drives, and the type of processor. If the BIOS detects a hardware problem, it will halt and display a text error messages on-screen. When this happens, you need to know how to fix or adjust your BIOS.

Time For A Change. When you have a BIOS problem, you will probably need to make changes in your BIOS’ settings. Even though this is easy and takes only a few minutes, making the wrong change can wreak havoc on your system. A problematic setting could prevent your computer from rebooting. Be very cautious and change nothing that isn’t necessary.

To change your BIOS settings, you must enter the computer’s CMOS (complementary metal-oxide semiconductor) setup screen during the startup process. CMOS is a small chip that stores information about your particular system and its devices.

To find the CMOS setup screen, reboot your computer. Start by pressing a certain keyboard combination during startup. You should see a line of text at the bottom of the display that tells you which key or keys you need to press to enter the CMOS or Setup area. (NOTE: You may have to completely shut down your system and turn it back on to see what this key combination is.) Most systems use ESC, DELETE, F1, F2, CTRL-ESC, or CTRL-ALT-ESC. If the screen doesn’t indicate which keys to press, the computer’s documentation should do so.

The screen will display several menus, each with rows and columns displaying options for changing dozens of settings. The wording is different according to each system and BIOS manufacturer. Here are some common settings and their definitions, although the names might be different in your CMOS:

System Time/Date: Lets you change the time and date displayed in the lower right corner of Windows.

Security or Password Protection: Lets you set a password for accessing the computer. Because Windows’ password screen is easy to avoid (you can press ESC or click Cancel), this BIOS option provides tighter security and requires you to enter the password before the system ever boots. Be sure to write down your new password because if you forget, it will take a great deal of work to access your computer again. (See the “Password Pains” sidebar for information on what to do if you do forget this password.)

Enable Number Lock: This setting is essential for anyone who uses the numbers on the 10-key section on the far right of the keyboard. However, if you don’t use the number pad, and you don’t like the little green light that comes on every time you boot up—the one that tells you the number lock is enabled—turn off this setting. (NOTE: You might find this option under the Start Options category.)

Memory: Because BIOS is on a relatively slow ROM chip, this setting lets you direct BIOS to shadow with RAM or a different memory source. (NOTE: You might find this option under the Advanced Setup category.)

Boot Sequence: This setting determines the order in which the BIOS reads drives in search of startup instructions. The BIOS traditionally begins with the hard drive. Change this setting to boot your machine from a CD-ROM or Zip disk when you reinstall the OS or use a boot diskette.

Exit: When you are ready to leave CMOS, you will have the options of saving the changes, discarding the changes, or restoring the system default settings. If you made changes, your computer will restart to put the new settings into effect. If you suspect that you’ve made a problematic change, exit without saving.

Upgrade. Newer computers rarely, if ever, need to have their BIOSes upgraded to work with new equipment. Both software and hardware upgrades typically come with drivers, software you install so the devices can work with your computer. Older computers, on the other hand, might need a BIOS upgrade to understand new hardware and software installed on the system. An upgrade will also have the ability to correct newly detected bugs.

To upgrade an old BIOS, start by reading the screen during startup and looking for the name of the BIOS manufacturer. If you don’t see the name of your manufacturer, go into the CMOS setup (see the above instructions). The very top of the CMOS screen should identify the BIOS maker. The largest manufacturers are Acer Labs, AMI (American Megatrends), Microid Research (Mr. BIOS), Phoenix Technologies, and Winbond.

You can also determine the manufacturer in Windows. In Windows 98 and Me, click the Start button, Programs, Accessories, System Tools, and then System Information. At the top of the left column, click System Summary. Then, you should see the BIOS Version line.

Next, find the version number of your present BIOS (if you can). This is a long string of digits and letters that flashes at the top of the screen during the first moments of start up. Press the PAUSE key to freeze the screen while you record the number. If you can find it, go back to the CMOS setup and find the BIOS date.

Go to the BIOS manufacturer’s Web site and find a BIOS upgrade program for your system. Look under a link called Free Downloads or Technical Support, then follow the instructions specific to your model PC. Upgrading BIOS can backfire if you install a version that is not compatible with your system. Thus, upgrade only when you are sure it is necessary and then do so carefully, double-checking that you are downloading the proper update. You may want to contact technical support before you install the file.

Be very careful once you enter the CMOS setup screen and start making changes. Incorrect settings could prevent the computer from rebooting.

Copy the program, including the update and utility, onto a diskette. Restart the computer with the diskette in the drive. The program should erase the old BIOS settings and install new ones. In addition, follow any manufacturer instructions for installing the software.

Fix. If you’ve tried troubleshooting a piece of hardware to no avail, the problem might be hidden in your BIOS settings. To find out, enter CMOS by pressing the correct keyboard combination during the startup process, as described above. Try these steps to correct poorly set BIOS. ( NOTE: The names for each setting might be different in your CMOS and/or you may not have some of these settings.)

The system is not detecting a new drive. Go to a CMOS setting called Drive Configuration, Hard Disk Settings, or even Devices And I/O Ports. It lets you configure the hard drives, CD-ROM drives, and diskette drives. PCs made in the past few years come with an automatic-detection program that enters configuration data into CMOS. If your system is older than that, or if you installed a drive your system is not detecting, enter the drive information manually to prompt your system to detect it. You do this in CMOS, where your drive information is located. This area is often called Drive Configuration, Hard Disk Settings, or something along those lines. There will be an option where you can choose between manual detection and automatic detection.

Diskette drive problems. If you are encountering mysterious diskette drive problems, go into the Diskette Disk or Devices And I/O Ports settings. Make sure it shows the type of drive in your A and B ports. For example, if your port has a drive for a 3.5-inch diskette or a 1.44MB diskette, the BIOS setting should reflect that information. If your computer is refusing to save data onto a diskette, make sure the Floppy Read Only setting is disabled. This setting prevents you from writing data to a diskette.

Trouble installing a mouse. If you’ve plugged in a mouse or other serial device and it is not responding, go to Serial Port Settings. This setting might have the port turned off or labeled as Disabled.

Printer woes. A new printer that is running slowly or refuses to work at all might be the victim of the wrong mode setting of its parallel port. Find a group of settings called Parallel Port or Parallel Port Setup. They will give you choice of four modes that determine the speed and transmission capabilities of the parallel-port connection: standard, bi-directional, ECP (extended capabilities port), or EPP (enhanced parallel port). Printers made several years ago use the slower, standard mode and may not work if plugged into a port set to a fast mode. Similarly, new printers may not function unless you set their ports to ECP.

Common Error Messages. Many other common BIOS problems will probably disturb your PC at one time or another. Many of these quirks will happen during the startup process. If the BIOS detects a difficulty during startup, the screen will display an error message or the system speaker will emit a combination of beeps to help you narrow down the irregularity. The computer’s documentation and BIOS manufacturer’s Web site should list dozens of codes and their meanings. Here, we translate common beep codes and error messages, although they may not be the same for your system. ( NOTE: To fix any of these problems, you may need to check with your computer’s BIOS manufacturer.)

CMOS Checksum Error —BIOS thinks a virus, dying battery, or other anomaly has changed a CMOS setting without your knowledge. This can happen when you flash the BIOS. Go into CMOS, restore the old settings, and reboot the computer. If the error does not recur, run an antivirus program just in case a bug has changed the CMOS settings. If the error does recur, replace the battery. This battery is important because it keeps the BIOS safe from power outages. Just open up the case and replace the battery. Don’t worry about losing information; it takes some time before the battery drains. However, you should replace the battery as quickly as possible.

Battery State Low—You don’t need to go into CMOS because this error specifies the problem. Open the case and replace the battery.

Diskette Drive A Error or Incorrect Drive A Type—Cables connected to Drive A might be loose. Turn off the computer, ground yourself, open up the case, and tighten cables leading to Drive A. If the message comes back when you reboot, go into CMOS to confirm you have the drive properly configured.

Keyboard Error— There is probably a loose cable between the keyboard and CPU. Tighten every cable and reboot your system. “Keyboard Error NN” indicates a key is stuck.

Diskette Boot Failure—If you’re trying to boot up from a diskette, the BIOS thinks the diskette is corrupted or has a virus. Try to boot up another computer with this diskette to learn whether it’s truly corrupted or whether your computer is to blame.

Display Switch Not Proper—A video switch (physical circuitry) on the motherboard should be set to color, but it is set to monochrome or vice versa. Turn off the machine, change the switch on the motherboard, and reboot.

KB/Interface Error—The keyboard connector is malfunctioning.

FDD Controller Failure—BIOS cannot communicate with the diskette drive controller.

HDD Controller Failure—BIOS cannot communicate with the hard drive controller.

DMA Error—The Direct Memory Access controller is malfunctioning.

One short beep—There is a problem with the memory refresh circuits on the motherboard.

Five short beeps—The CPU is indicating an error.

Eight short beeps—The video card (also called graphics card or video adapter) is missing, is not responding to the BIOS POST, or has faulty memory.

One long and three short beeps—The monitor or video RAM has failed. If you confirm these devices are functioning properly, check other parts of the video system.

Don’t Be Afraid; Be Careful. If you have a BIOS error or BIOS-related problems, don’t be afraid to try to fix the problem. If you ever foul up your system even more, reboot it while holding down the key or keys used to enter setup. This bypasses extended CMOS settings and is the first step in getting your PC up and running again. Once you get to the Setup menu, you can reload the original factory settings by choosing Load Values From CMOS. However, remember that changes you have made to the BIOS since you bought the PC, including adding storage devices, will not be reflected in these values. In addition, sometimes you can make changes that will prevent your system from rebooting again, so just be careful.

by Raya Tahan

Password Pains

Many users take advantage of the extra security settings offered in the BIOS (Basic Input/Output System). Although a computer thief or unscrupulous co-worker could easily get past your Windows password, he would have infinitely more difficulty cracking a password set in the BIOS. The downside to having this higher level of security is you will lock out yourself if you forget your password.

A CMOS (complementary metal-oxide semiconductor)-set password will cause the system to prompt you for the password during every startup, before it launches the operating system. If you lose your password or it suddenly does not work, you could have a big problem.

The first thing to do is to try to find a default or backdoor password that works with your brand of BIOS. Most major BIOS manufacturers program their chips to work with certain words as a password. Try typing the name of the manufacturer in as your password. For example, your might try “AMI,” “Award,” or “Mr Bios.” Some manufacturers set the default password to be a common word such as, “bios,” “setup,” “cmos,” “password,” “sw,” “SW,” or “BIOSTAR.”

If those don’t work, contact the maker of your PC, motherboard, and BIOS to ask whether a default password exists. If so, they should reveal it to you when you provide a receipt to show you own the PC.

If the manufacturer will not help, you must open up the case and make physical changes to the motherboard. Always unplug the computer and ground yourself by touching metal.

The motherboard manual might list a jumper that clears the present CMOS password. If this is the case, just reset the jumper and boot up your personal computer.

If your motherboard lacks this setting, you probably have to use a different motherboard jumper that resets the entire contents of the CMOS program. Find a jumper that has three pins adjacent to the battery. Reset CMOS by moving the jumper from 1-2 to 2-3, or from 2-3 to 1-2. If you had gone into CMOS and manually configured the date, time, disk drive detection, and other settings, you’ll have to do that all over again once you can get into your computer.

If your motherboard has no reset jumper whatsoever, your last resort is to erase the BIOS settings by physically pulling the CMOS battery off the motherboard. It’s a small, round battery, usually sitting near the power connector. Remove it from the board and keep it off for several hours because it takes that long for the charge to drain out of the CMOS circuits.

If your CMOS battery is soldered down to the motherboard, you should probably have a technician replace it.

Note: This compilation of information are from various sources. All credit due to its authors.
XP Support- 01/01/2005 12:42 AM - Home Page WinXP
© Copyright Kelly Theriot MS-MVP(DTS) 2005. All rights reserved.

Error Message with RAM Problems or Damaged Virtual Memory Manager

2008-03-08T03:07:00.001-08:00

SYMPTOMS
When your computer restarts after you install Windows XP Home Edition, you may receive either of the following error messages:
System has recovered from a serious error
DRIVER_IRQL_NOT_LESS_OR_EQUAL

CAUSE
This behavior may occur if either of the following conditions exist:
• One or more of the random access memory (RAM) modules that are installed in your computer are faulty, or the memory modules are not compatible with the chip set on your computer mainboard.
• The Page file that is used by the Virtual Memory Manager may be damaged.

RESOLUTION
To resolve this issue:
1. Make sure that the memory modules in your computer are compatible with the chip set on your computer mainboard.

If you change your RAM, test to determine if the issue is resolved. If the issue is resolved, do not complete the remaining steps. If the issue is not resolved, go to step 2.
2. Click Start, right-click My Computer, and then click Properties.
3. Click the Advanced tab.
4. Under Performance, click Settings.
5. Click the Advanced tab.
6. Under Virtual Memory, click Change.
7. Click No paging file. Click OK, click OK, and then click OK.
8. Restart your computer.
9. Click Start, right-click My Computer, and then click Properties.
10. Click the Advanced tab.
11. Under Performance, click Settings.
12. Click the Advanced tab.
13. Under Virtual Memory, click Change.
14. Click System managed sized. Click OK, click OK, and then click OK.
15. Restart your computer.

Removing the Happy99.exe Virus/Worm

2008-03-08T03:03:00.000-08:00

This virus or worm as it is better described is attached to newsgroup and e-mail messages as an attachment called Happy99.exe. You cannot get infected with this virus just by reading a newsgroup or e-mail message. You have to execute the attachment by opening it. Generally, the person who sent it does not know that they are sending it out. If you didn't execute the attachment, you can just delete it and move on. If you execute an infected attachment, it will display a firework display, once its been activated every email you send will have the file attached. When someone else opens it, the virus spreads and the destruction continues.

Here's how Happy99.exe infects your system:

It will create two files in the Windows System folder, SKA.EXE and SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original WSOCK32.DLL to WSOCK32.SKA. Then it will modify WSOCK32.DLL without changing its size so it will try to run SKA.DLL while posting to Usenet and sending E-Mail. The SKA.DLL file will silently attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages with a barely noticable delay.

It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a connnection to the Internet. If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be modified next time the computer starts. It will still create WSOCK32.SKA even if it is unable to modify WSOCK32.DLL. This virus will keep a list of message recipients in the file LISTE.SKA in the Windows System folder. It will try not to send the Happy99.exe file twice to the same person.

Since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the modified WSOCK32.DLL cannot perform any viral action. However using a modified WSOCK32.DLL could cause problems while on the Internet. The most common problem that has been reported is invalid page faults, but these can have other causes. Restoring the original WSOCK32.DLL will correct these problems.

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone using one of those could pass it along manually, for example by forwarding the message. Under Windows NT it will create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or modify WSOCK32.DLL. If you have NT, you don't have to follow the removal steps; you can simply delete SKA.DLL and SKA.EXE from inside Windows NT if you would like.

Some people have asked whether it is always called HAPPY99.EXE. This virus doesn't contain any code to change the name. However, it would be simple for a person to change it to anything they like.

It contains the encrypted text:

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."

Automatic Removal of Happy99.exe

Download the following file, unzip it and run it in Windows95 or Windows 98 by double-clicking on it. This small program will perform the steps seen in the manual removal method with no user intervention. Once the program is run, your system will want to reboot. This must happen to completely remove the happy99.exe worm.

Craig Schmugar's Happy99Cleaner program (click to download)

Another Happy99.exe Remover (click to download)

Manual Removal of Happy99.exe

Steps marked optional are not absolutely necessary and are completely safe to skip. If you're not comfortable with DOS, get someone knowledgable to help you with this. I cannot make guarantees of perfect safety since its a manual removal, Perform these at your own risk. If you have Windows NT, you don't have to follow the removal steps.

1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to exit Windows in order to be able to replace the file WSOCK32.DLL which Windows normally has in use.

2.At the DOS prompt type this exactly and press enter at the end of each line:

CD \WINDOWS\SYSTEM

3. Delete SKA.EXE and SKA.DLL by typing

DEL SKA.EXE
DEL SKA.DLL

If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.

4.Copy WSOCK32.SKA to WSOCK32.DLL by typing

ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL

Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.

WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the modified DLL with the original. If you get a "Sharing violation" make sure you followed step 1.

5.Optional Delete WSOCK32.SKA by typing

DEL WSOCK32.SKA

You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.

6.Return to Windows by typing

EXIT

7.Optional Delete Windows Registry Key.
Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also, you'll only find it in the registry if you haven't rebooted since you ran HAPPY99.EXE.

8.Optional Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA. Make it clear to the people you warn that they won't be infected unless they ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.

9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary depending on where you saved it. You can delete it simply by dragging it to the Recycle Bin from within Windows or whatever method you prefer. You may still have some messages with HAPPY99.EXE attached in your mailbox. These cannot do anything unless you run them. You can delete them if you want to or just ignore them. 10.Optional If you aren't sure whether WSOCK32.DLL is infected, choose Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive C: or whatever drive you have Windows on. In the "Containing Text" box type "ska.dll" without the quotes. Then click "Find Now". If you don't find any files, that means that wsock32.dll isn't the modified version. If you don't have the modified WSOCK32.DLL, the virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL, and WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the RunOnce registry section, and you haven't deleted SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you restart the computer.

Make sure you type the instructions exactly including spaces and punctuation. You might want to print out the removal instructions so you have something to refer to. If you're having trouble with the DOS commands, get a local person to help you with them. It's hard to know exactly how you're typing the DOS commands and what your exact situation is without seeing it in person.

How to Fix SVCHOST.EXE Application Error 0x745f2780

2008-03-08T03:01:00.000-08:00

How to Repair this SVCHOST.EXE error
After some investigating into the 0X745f2780 SVCHOST error, it became apparent the problem is a corrupted Windows Update in Windows XP. Follow the steps below to fix this error.

Verify Windows Update Service Settings

* Click on Start, Run and type the following command in the open box and click OK

services.msc

* Find the Automatic Updates service and double-click on it.
* Click on the Log On Tab and make sure the "Local System Account" is selected as the logon account and the box for "allow service to interact with desktop" is UNCHECKED.
* Under the Hardware Profile section in the Log On Tab, make sure the service is enabled.
* On the General Tab, the Startup Type should be Automatic, if not, drop the box down and select Automatic.
* Under "Service Status" on the General tab, the service should be Started, click the Start button enable it.
* Repeat the steps above for the service "Background Intelligent Transfer Service (BITS)"

Re-Register Windows Update DLLs

* Click on Start, Run, and type CMD and click ok
* In the black command window type the following command and press Enter

REGSVR32 WUAPI.DLL

* Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
* Repeat the last two steps above for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

Remove Corrupted Windows Update Files

* At the command prompt, type the following command and press Enter

net stop WuAuServ
* Still at the command prompt,

type cd %windir% and press Enter
* In the opened folder, type the following command and press Enter to rename the SoftwareDistribution Folder

ren SoftwareDistribution SD_OLD
* Restart the Windows Update Service by typing the following at the command prompt

net start WuAuServ

* type Exit and Press Enter to close the command prompt

Reboot Windows

* click on Start, Shut Down, and Restart to reboot Windows XP

Although this method may not solve all of the issues with a SVCHOST.EXE Application error, I have found it fixed the problem with the 0x745f2780 reference error.

Other Issues with SVCHOST.EXE

I've encountered other issues with SVCHOST taking up 100% of the CPU Cycles. These issues are usually experienced with Windows Update in some form or another. To fix this frustrating problem, following these steps:

1) Download and install Update for Windows XP (KB927891)
2) Download and install an update for Windows Update Agent WSUS 3.0
3) Restart your computer and your computer should run better with slowing to a crawl because of SVCHOST.EXE

How to Fix Windows Update Error 0x80070420

2008-03-08T02:57:00.000-08:00

you have Windows XP and are receiving the Windows Update Error 0x80070420, please follow the steps below to solve it.

First, Check to see if you have Windows Installer 3.1 installed on your computer. To do this follow these steps:

1) Click on Start, Control Panel
2) Double-click on Add/Remove Programs
3) Search your Program List for the program

4) If you find it there, click on Remove to uninstall it. Then reboot your computer. If it is not there proceed to step 5.

5) Click on the following link to Microsoft's Download Center to download Windows Installer 3.1

http://www.microsoft.com/downloads/details.aspx?familyid=889482fc-5f56-4a38-b838-de776fd4138c&displaylang=en

6) Install Windows Installer 3.1 and reboot your computer

7) Go to Windows Update and try to download the updates again.

Note: sometimes you may also receive this error if Windows XP has not been activated. To read about How to Activate Windows XP, click on the following support article from Microsoft.

http://support.microsoft.com/?kbid=307890

Internet Privacy Software to clean your computer tracks and keep your computer safe

2008-03-08T02:55:00.000-08:00

What's so important about Internet Privacy?
Every time you open a browser to view a web page, order something online, or read your email in a web based viewer that information is stored on your computer for later use. Whether you are viewing the weather online, reading sports, catching up on the latest world news or viewing something a little more private, all that information is stored in your computer. Windows operating systems store all this material in what are called Temporary Internet Files or cache. Web pages may store bits of information about who you are when you visit web sites in files called cookies on your computer. Your web browser will store a list of web sites you've visited and places you've gone in a history file in your computer. Even if you are not online, programs will store histories of the files you've opened, played, or viewed.

Generally there might not be any reason to worry about all these files in your computer, but what if you sell your computer and all that information is left for someone else to see. Maybe friends and relatives visit and use your computer and you dont want everyone to know what files you are running on your computer. Then you are going to want to know how to delete these files.

Even if you are not worried about privacy on your computer, you may be surprised to realize how much hard drive space all this information takes up. If you are running out of drive space, you may want to delete these files.

How can I delete these files?

For Internet Explorer 5 and above, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clear the Internet History in IE:

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Clear History
4) Click OK

To clean up other temporary files on your computer in Windows 98 or higher:

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files

Are there programs to do this automatically?

One of the first and still the best programs on the market to clear internet files, run history, cookies, and other files is Window Washer by Webroot Software. It even has a "bleach" feature to make sure that information cannot be read once its deleted. You can read more about Window Washer by clicking on the picture below:

Window Washer

The other side of this problem is how do you recover an accidentally deleted file? Is it gone forever? Well the easy answer to that question is no, recovering it however may be more difficult unless you have special recovery software. One of the easiest pieces of software to recover important files is File-Saver. File-Saver can:

*

Instantly displays hundreds of deleted files from any drive on your computer
*

Provides full detail on each file, including filename, folder and last modified date
*

Allows you to quickly erase all confidential data, by wiping out all the hidden "undelete" data from your PC
*

Restore any file by back to the location of your choice, by clicking the 'Restore by Copying' button
*

Easily narrow down the results to just the file you want, using the built-in file and extension filter

Recover from a Corrupted Registry in Windows XP

2008-03-08T02:53:00.001-08:00

When Will This Recovery Work?
You'll want to use the steps on this page to recover from a corrupted registry when you have already tried other options such as System Restore and you receive a message similar to one of the following when you try to boot your computer with Windows XP.

* Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

* Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate

* System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct.

Be careful using this procedure in other circumstances or with an OEM version of Windows XP since OEM installations create passwords and user accounts that did not exist previously and may cause you not to be able to log into the Recovery Console to restore files.

Booting into the Recovery Console

You'll need to use the Windows XP Recovery Console to fix a corrupted registry, this will either require you to boot from a Windows XP Installation CD or boot directly to the Recovery Console if its installed. Follow these steps to boot into the Recovery Console from a Windows XP Installation CD.

1) Place your Windows XP in the CD-ROM Drive
2) Restart your computer and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar.

"press any key to boot from cd..."

4) Wait until you see the "Welcome to Setup" screen, and press R to start the Recovery Console
5) Choose which Windows installation you wish to load (this is usually #1 unless you have a multi-boot system)
6) Type the administrator password and Press Enter
7) You should now be at the C:\Windows> prompt

Copy Repair Files Using the Recovery Console

This procedure assumes Windows is installed on Drive C, if you have installed Windows on another drive, please substitute the appropriate drive letter in the procedure below.

At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

Type exit to quit Recovery Console. Your computer will restart, press F8 as it starts and choose Safe Mode.

Restart in Safe Mode and Find a Recent Snapshot Backup

Restart your computer in Safe Mode by pressing F8 during the initial bootup and choosing Safe Mode. Once in Safe Mode, you need to make sure the files and folders are visible so you can access them. Follow these instructions to accomplish this.

1. Open My Computer
2. Click on the Tools menu, then click Folder Options.
3. Click the View tab.
4. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display these files appears.

In My Computer, Double-click the drive where you installed Windows XP (usually Drive C) to display a list of the folders. then double-click on the "System Volume Information" folder. This folder contains the system restore points stored on your computer. The folders will look similar to

_restore{EE42BEB8-700A-495F-8004-53D26C2E12C5}

You might receive an access denied error message similar to the following when trying to access the System Volume Information folder.

C:\System Volume Information is not accessible. Access is denied.

This is generally caused because the user you are logged in under does not have permissions set on the folder. To fix this, follow the instructions in the Microsoft Knowledge Base article 309531 to gain access and continue. Each version of Windows XP is different on how to change these permissions.

Once you have access to the snapshots, use the instructions below to copy one of the latest snapshots to the Windows\TMP directory so you have access to it.

1) In the System Volume Information Folder, click on View, and then click Details to display the date of each snapshot folder.
2) Double-click on a folder that was not created at the current time but rather before the problem started.
3) Double-click on the Snapshot subfolder
4) Using your normal windows copy and paste techniques, highlight the following files and copy them into the C:\Windows\TMP folder

* _REGISTRY_USER_.DEFAULT
* _REGISTRY_MACHINE_SECURITY
* _REGISTRY_MACHINE_SOFTWARE
* _REGISTRY_MACHINE_SYSTEM
* _REGISTRY_MACHINE_SAM

5) Rename the files that you just copied into the C:\Windows\TMP folder by right-clicking on each filename and choosing Rename, then typing the new name. Repeat this for each file in the list below.

* Rename _REGISTRY_USER_.DEFAULT to DEFAULT
* Rename _REGISTRY_MACHINE_SECURITY to SECURITY
* Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
* Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
* Rename _REGISTRY_MACHINE_SAM to SAM

6) Once you have renamed the files, restart your computer again with the Recovery Console (refer to the instructions above to do this)

Replace the Repair Files with a Current Backup of the Registry

After rebooting the computer and starting the Recovery Console again, type the following commands at the prompt to replace the files with a current backup. You'll need to press Enter after each command.

del c:\windows\system32\config\sam
del c:\windows\system32\config\security
del c:\windows\system32\config\software
del c:\windows\system32\config\default
del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software
copy c:\windows\tmp\system c:\windows\system32\config\system
copy c:\windows\tmp\sam c:\windows\system32\config\sam
copy c:\windows\tmp\security c:\windows\system32\config\security
copy c:\windows\tmp\default c:\windows\system32\config\default

After the files have been replaced, type EXIT at the command prompt to restart Windows in normal mode.

Use System Restore to Return to a Good Backup Point

Because there is more to a System Restore than just the registry files, follow these steps to restore your computer to a good backup point.

1. Click Start, and then click All Programs.
2. Click Accessories, and then click System Tools.
3. Click System Restore, and then click Restore to a previous Restore Point and finish the restore.

Regestry Editing

2008-03-08T02:32:00.000-08:00

Registry Editor
Registry Editor is an advanced tool for viewing and changing settings in your system registry, which contains information about how your computer runs. Windows stores its configuration information in a database (the registry) that is organized in a tree format. Although Registry Editor enables you to inspect and modify the registry, normally you do not need to do so, and making incorrect changes can break your system. An advanced user who is prepared to both edit and restore the registry can safely use Registry Editor for such tasks as eliminating duplicate entries or deleting entries for programs that have been uninstalled or deleted.
Using Registry Editor with Windows XP, 64-Bit Edition
The registry in Windows XP, 64-Bit Edition is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa. The default, 64-bit version of Registry Editor that comes with Windows XP, 64-Bit Edition displays only the 64-bit keys.
To view or edit 32-bit keys from the registry of a computer running Windows XP, 64-Bit Edition, you must use the 32-bit version of Registry Editor in the %systemroot%\Syswow64 folder. You must close the 64-bit version of Registry Editor before you can open the 32-bit version, and vice versa. There are no differences in the way you perform tasks between the 32-bit version of Registry Editor and the 64-bit version of Registry Editor.
To open the 32-bit version of Registry Editor, click Start, click Run, type %systemroot%\syswow64\regedit, and click OK.
Change keys and values
• Find a string, value, or key
• Add a registry key to Favorites
• Add a key
• Add a value
• Change a value
• Delete a key or value
• Rename a key or value
• Connect to a registry over the network
• Disconnect from a network registry
• Copy a registry key name
• Restore the registry

To find a string, value, or key:
1. Open Registry Editor.
2. On the Edit menu, click Find.
3. In Find what, type the string, value, or key you want to find.
4. Select the Keys, Values, Data, and Match whole string only check boxes to match the type of search you want, and then click Find Next.
To add a registry key to Favorites
1. Open Registry Editor.
2. Select the registry key you want to add to Favorites.
3. On the Favorites menu, click Add to Favorites.
4. In the Add to Favorites dialog box, accept the default registry key name or type a new one.
The registry key is added to the Favorites list. You can then return to this list by simply selecting it from the Favorites menu.
To add a key
1. Open Registry Editor.
2. In the registry tree (on the left), click the registry key under which you would like to add a new key.
3. On the Edit menu, point to New, and then click Key.
4. Type a name for the new key, and then press ENTER
To add a value
1. Open Registry Editor.
2. Click the key or entry where you want to add the new value.
3. On the Edit menu, point to New, and then click the type of value you want to add: String Value, Binary Value, DWORD Value, Multi-String Value, or Expandable String Value.
4. Type a name for the new value, then press ENTER
To change a value
1. Open Registry Editor.
2. Select the entry you want to change.
3. On the Edit menu, click Modify.
4. In Value data, type the new data for the value, and then click OK.
To delete a key or value
1. Open Registry Editor.
2. Click the key or entry you want to delete.
3. On the Edit menu, click Delete.
Caution
• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
Notes
• To open Registry Editor, click Start, click Run, type regedit, and then click OK.
• You can delete keys and values from your registry. However, you cannot delete a predefined key (such as HKEY_CURRENT_USER) or change the name of a predefined key.
• If you make a mistake that results in your computer not starting properly, you can restore the registry.

To rename a key or value
1. Open Registry Editor.
2. Click the key or entry you want to rename.
3. On the Edit menu, click Rename.
4. Type the new name, and then press ENTER
To connect to a registry over a network
1. Open Registry Editor.
2. On the File menu, click Connect Network Registry.
3. In the Connect Network Registry dialog box, type the name of the computer to whose registry you want to connect.
To disconnect from a network registry
1. Open Registry Editor.
2. On the File menu, click Disconnect Network Registry.
3. In the Disconnect Network Registry dialog box, click the name of the computer from whose registry you want to disconnect.
To copy a registry key name
1. Open Registry Editor.
2. In the registry tree (on the left), click a registry key.
3. On the Edit menu, click Copy Key Name.
4. Paste the name of the registry key into another program or document

To restore the registry
1. Open Registry Editor.
2. Click Options, and then click Print to print these instructions. (If you are using the Help and Support Center, click Print above the topic area.) They will not be available after you shut down your computer in step 2.
3. Click Start, and then click Shut Down.
4. In the list, click Restart, and then click OK.
5. When you see the message Please select the operating system to start, press F8.
6. Use the arrow keys to highlight Last Known Good Configuration, and then press ENTER.
NUM LOCK must be off before the arrow keys on the numeric keypad will function.
7. Use the arrow keys to highlight an operating system, and then press ENTER

To export all or part of the registry to a text file
1. Open Registry Editor.
2. On the File menu, click Export.
3. In File name, enter a name for the registry file.
4. Under Export range, do one of the following:
o To back up the entire registry, click All.
o To back up only a particular branch of the registry tree, click Selected branch and enter the name of the branch you want to export.
5. Click Save.
To import some or all of the registry
1. Open Registry Editor.
2. On the File menu, click Import Registry File.
3. Find the file you want to import, click the file to select it, then click Open.

To export a registry key to a hive file
1. Open Registry Editor.
2. Select the key that you want to save as a file.
3. On the File menu, click Export.
4. In the Export Registry File dialog box, in Save in, click the drive, folder, or network computer and folder where you want to save the hive.
5. In File name, enter a name for the hive.
6. In Save as type, click Registry Hive Files.
7. Click Save.
To import a registry key from a hive file
1. Open Registry Editor.
2. Select the keys in which you want to restore the hive.
3. On the File menu, click Import.
4. In Look in, select the drive, folder, or network computer and folder in which the hive is located.
5. In Files of type, click Registry Hive Files.
6. Select the correct file name for the hive.
7. Click Open.

To load a hive into the registry
1. Open Registry Editor.
2. In the registry tree (on the left), click either the HKEY_USERS or HKEY_LOCAL_MACHINE keys.
3. On the File menu, click Load Hive.
4. In Look in, click the drive, folder, or network computer and folder that contains the hive you want to load.
5. Click Open.
6. In Key Name, type the name that you want to assign to the hive, and then click OK.
To unload a hive from the registry
1. Open Registry Editor.
2. Select a hive that you have previously loaded onto your system.
3. On the File menu, click Unload Hive

To assign permissions to a registry key
1. Open Registry Editor.
2. Click the key to which you want to assign permissions.
3. On the Edit menu, click Permissions.
4. Assign an access level to the selected key as follows:
o To grant the user permission to read the key contents, but not save any changes made to the file, under Permissions for name, for Read, select the Allow check box.
o To grant the user permission to open, edit, and take ownership of the selected key, under Permissions for name, for Full Control, select the Allow check box.
o To grant the user special permission in the selected key, click Advanced.
5. If you are assigning permissions to a subkey and you want the inheritable permissions assigned to the parent key to apply to the subkey also, select the Inherit from parents the permission entries that apply to child objects. Include these with entries explicitly defined here check box
To assign special access to a registry key
1. Open Registry Editor.
2. Click the key to which you want to assign special access.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then double-click the user or group to whom you want to assign special access.
5. Under Permissions, select the Allow or Deny check box for each permission you want to allow or deny.

To add users or groups to the Permissions list
1. Open Registry Editor.
2. Click the key whose Permissions list you want to change.
3. On the Edit menu, click Permissions, and then click Add.
4. In the Select Users, Computers, or Groups dialog box, in Locations, click the computer or domain of the users and groups you want to view.
5. Click the name of the user or group, click Add, and then click OK.
6. In the Permissions dialog box, under Permissions for name, assign a type of access to the selected user or group as follows:
o To grant the user permission to read the key contents but not to save any changes made to it, select the Allow check box for Read.
o To grant the user permission to open, edit, and take ownership of the selected key, select the Allow check box for Full Control

To grant Full Control of a registry key
1. Open Registry Editor.
2. Click the key to which you want to grant Full Control.
3. On the Edit menu, click Permissions.
4. Under Group or user names, click the user to whom you want to grant Full Control of your registry key.
5. Under Permissions for name, where name represents the name of the user to whom you are granting Full Control of the key, select the Allow check box for Full Control
To audit activity on a registry key
1. Open Registry Editor.
2. Click the key you want to audit.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then click the Auditing tab.
5. Double-click the name of a group or user.
6. Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:
Select To audit
Query Value Any attempts to read a entry from a registry key
Set Value Any attempts to set entries in a registry key
Create Subkey Any attempts to create subkeys on a selected registry key
Enumerate Subkeys Any attempts to identify the subkeys of a registry key
Notify Any notification events from a key in the registry
Create Link Any attempts to create a symbolic link in a particular key
Delete Any attempts to delete a registry object
Write DAC Any attempts to write a discretionary access control list on the key
Write Owner Any attempts to change the owner of the selected key
Read Control Any attempts to open the discretionary access control list on a key

To add users or groups to the audit list
1. Open Registry Editor.
2. Click the key you want to audit.
3. On the Edit menu, click Permissions.
4. Click Advanced, click the Auditing tab, and then click Add.
5. Click Object Types, select the type or types of users or groups you want to find, and then click OK.
6. Click Locations, select the computer or domain of the users or groups you want to view, and then click OK.
7. Type the name of the user or group you want to add and then click OK to open the Auditing Entry dialog box, or click Advanced to search for a user, computer, or group based on parameters you set.

To take ownership of a registry key
1. Open Registry Editor.
2. Click the key you want to take ownership of.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then click the Owner tab.
5. Under Change owner to, click the new owner, and then click OK.
To print all or part of the registry
1. Open Registry Editor.
2. Click the computer or top-level key of the registry area you want to print.
3. On the File menu, click Print.
4. You can print the entire registry by clicking All or only part of the registry by clicking Selected Branch and typing the desired branch in the text box, and then click OK.
Registry Editor overview
Registry Editor is an advanced tool for viewing and changing settings in your system registry, which contains information about how your computer runs. Windows stores its configuration information in a database (the registry) that is organized in a tree format. Although Registry Editor enables you to inspect and modify the registry, normally you do not need to do so, and making incorrect changes can break your system. An advanced user who is prepared to both edit and restore the registry can safely use Registry Editor for such tasks as eliminating duplicate entries or deleting entries for programs that have been uninstalled or deleted.
Folders represent keys in the registry and are shown in the navigation area on the left side of the Registry Editor window. In the topic area on the right, the entries in a key are displayed. When you double-click a entry, it opens an editing dialog box.
You should not edit your registry unless it is absolutely necessary. If there is an error in your registry, your computer may not function properly. If this happens, you can restore the registry to the same version you were using when you last successfully started your computer. For instructions, see Related Topics.
Registry Editor Keys
The navigation area of the Registry Editor displays folders, each of which represents a predefined key on the local computer. When accessing the registry of a remote computer, only two predefined keys, HKEY_USERS and HKEY_LOCAL_MACHINE, appear.
Folder/predefined key Description
HKEY_CURRENT_USER Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is referred to as a user's profile.
HKEY_USERS Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS.
HKEY_LOCAL_MACHINE Contains configuration information particular to the computer (for any user).
HKEY_CLASSES_ROOT Is a subkey of HKEY_LOCAL_MACHINE\Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG Contains information about the hardware profile used by the local computer at system startup.
The following table lists the data types currently defined and used by the system.
Data type Description
REG_BINARY Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.
REG_DWORD Data represented by a number that is 4 bytes long. Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format.
REG_EXPAND_SZ A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.
REG_MULTI_SZ A multiple string. Values that contain lists or multiple values in a form that people can read are usually this type. Entries are separated by spaces, commas, or other marks.
REG_SZ A fixed-length text string.
REG_FULL_RESOURCE_DESCRIPTOR A series of nested arrays designed to store a resource list for a hardware component or driver.