windows, pcs, operating systems, virus, errors, bugs, trouble shooting computers

Can a virus hide in a PC's CMOS memory?

2010-04-22T22:19:00.001-07:00

Can a virus hide in a PC's CMOS memory?

No. The CMOS RAM in which PC system information is stored and backed up
by batteries is accessible through the I/O ports and not directly
addressable. That is, in order to read its contents you have to use I/O
instructions rather than standard memory addressing techniques.
Therefore, anything stored in CMOS is not directly "in memory". Nothing
in a normal machine loads the data from CMOS and executes it, so a virus
that "hid" in CMOS RAM would still have to infect an executable object
of some kind in order to load and execute whatever had been written to
CMOS. A malicious virus can of course *alter* values in the CMOS as
part of its payload, but it can't spread through, or hide itself in, the
CMOS.

Further, most PCs have only 64 bytes of CMOS RAM and the use of the
first 48 bytes of this is predetermined by the IBM AT specification.
Several BIOS'es also use many of the "extra" bytes of CMOS to hold their
own, machine-specific settings. This means that anything that a virus
stores in CMOS can't be very large. A virus could use some of the
"surplus" CMOS RAM to hide a small part of its body (e.g. its payload,
counters, etc). Any executable code stored there, however, must first
be extracted to ordinary memory in order to be executed.

This issue should not be confused with whether a virus can *modify* the
contents of a PC's CMOS RAM. Of course viruses can, as this memory is
not specially protected (on normal PCs), so any program that knows how
to change CMOS contents can do so. Some viruses do fiddle with the
contents of CMOS RAM (mostly with ill-intent) and these have often been
incorrectly reported as "infecting CMOS" or "hiding in CMOS". An
example is the PC boot sector virus EXE_Bug, which changes CMOS settings
to indicate that no floppy drives are present

what is 41.exe ?/spyware/malware/virus

2010-01-21T22:45:00.000-08:00

Associated Malware Groups

The unsafe files using this name are associated with the malware group:

* Cloaked Malware

File Behavior

41.EXE has been seen to perform the following behavior:

* Enables an In Process Object/Server - Common with DLL Injections
* Creation and Registration of a Browser Helper Object in Internet Explorer
* Adds a Registry Key (RUN) to auto start Programs on system start up
* This process creates other processes on disk
* Registers a Dynamic Link Library File
* This Process Deletes Other Processes From Disk
* Creates new folders in the file system
* Uses DNS to retrieve the IP address for web sites
* Executes a Process
* Writes to another Process's Virtual Memory (Process Hijacking)
* Can communicate with other computer systems using HTTP protocols
* Creates system tray popups, messages, errors and security warnings
* The Process is packed and/or encrypted using a software packing process
* Executes Processes stored in Temporary Folders
* Creates or uses a background service to access the Internet using HTTP protocols
* Injects code into other processes

41.EXE has been the subject of the following behavior:

* Created as a process on disk
* Executed as a Process
* Has code inserted into its Virtual Memory space by other programs
* Deleted as a process from disk
* Executed from Temporary Folders
* Terminated as a Process
* Executed by Internet Explorer

Country Of Origin

The filename 41.EXE was first seen on Oct 22 2007 in the following geographical regions of the Prevx community:

* India on Oct 22 2007
* Spain on Oct 30 2007
* China on Oct 30 2007
* on Aug 27 2008
* Canada on Sep 11 2008
* The United States on Sep 14 2008
* Brazil on Jan 20 2010

File Name Aliases

41.EXE can also use the following file names:

* ILAN213V41.EXE
* TMP63B1.TMP
* 41[1].EXE
* S4Q0
* 18467.EXE
* 90794102.TXT

Filesizes

The following file size has been seen:

* 169,472 bytes
* 11,599 bytes
* 153,764 bytes
* 163,773 bytes
* 444,416 bytes
* 90,653 bytes
* 273,513 bytes

File Type

The filename 41.EXE is used by multiple object types including executable programs,objects.
File Activity

One or more files with the name 41.EXE creates, deletes, copies or moves the following files and folders:

* Deletes c:\docume~1\user\locals~1\temp\nsh7.tmp
* Creates c:\docume~1\user\locals~1\temp\nsh9.tmp
* Deletes c:\docume~1\user\locals~1\temp\nsxB.tmp
* Creates c:\docume~1\user\locals~1\temp\nsxb.tmp\System.dll
* Creates c:\windows\system32\xdjrtecswiaartg.dll
* Creates c:\docume~1\user\locals~1\temp\nsxb.tmp\NSISdl.dll
* Creates c:\docume~1\user\locals~1\temp\activation_key
* Deletes c:\docume~1\user\locals~1\temp\activation_key
* Opens/modifes c:\autoexec.bat
* Creates c:\documents and settings\user\application data\Microsoft
* Creates c:\documents and settings\user\application data\microsoft\Crypto
* Creates c:\documents and settings\user\application data\microsoft\crypto\RSA
* Creates c:\documents and settings\user\application data\microsoft\crypto\rsa\S-1-5-21-1017937101-3376078148-572454927-1003
* Deletes c:\docume~1\user\locals~1\temp\nsxb.tmp\NSISdl.dll
* Deletes c:\docume~1\user\locals~1\temp\nsxb.tmp\System.dll
* Creates c:\docume~1\user\locals~1\temp\9597_appcompat.txt
* Creates c:\docume~1\user\locals~1\temp\19FF4.dmp

Network Activity

One or more files with the name 41.EXE performs the following network events:

* DNS Lookup85.92.152.44 mysidesearch.com

Website Activity

One or more files with the name 41.EXE interacts with the following web sites and pages. Web addresses have been deliberately modified to prevent unintentional use.

* TCP:127.0.0.1:1094 Port:17
* Port 80 IP:85.92.152.44
* Port 80 IP:85.92.157.141

lock the taskbar option not working?

2009-10-13T00:43:00.000-07:00

it may some times caused due to the option has "greyout"

so to make it enable we should edit the registry

goto->start->run->regdit->

then HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\explorer

delete the locktaskbar key

Networking error 71

2008-07-29T23:32:00.001-07:00

Error 71
1. Is someone connected as you? Been giving out your password?

2. Were you disconnected all of a sudden before this happens? You could be 'ghosted' on the server. The ISP can usually "bump" the 'ghost' off through radius.

How to fix Network error 20?

2008-07-29T23:30:00.000-07:00

Error 20

1. Make sure the correct modem is selected.

2. Does the modem respond to diagnostics? It may need to be reinstalled.

3. Is RNAAPP loaded into memory after closing the dialer? If so try the RNAAPP fix.

4. Reinstall NCP/DUN/RAS.

2008-07-29T23:26:00.000-07:00

Dial-Up Networking Errors(DUNS)

Windows 95, 98, Me, NT, 2000, XP, and Vista.

In later versions of operating systems (NT, 2000, XP and Vista) some of the errors can occur for connections other than traditional dial-up modem connections: they may occur with DSL and VPN (virtual private networking) connections that do not involve dial-up.

NOTE: Some solutions indicate to re-install DUNs and/or TCP/IP. See this Microsoft KB article for Win 95/98 instructions to Remove & Re-install DUNS & TCP/IP. Newer versions of Windows don't allow DUNS uninstall: see Reset DUNS (TCP/IP) in Windows 2000 & XP.

Windows Vista: Dialing directly from the 'Connect To' menu or other shortcuts will not display DUNs error codes - instead, particularly large and unhelpful dialog boxes are shown as detailed here. In order to see any DUNs error codes, you must dial from the 'Manage Network Connections' Window.

Connectoids. In many cases, DUNs Errors can be solved by correcting the properties for your dial-up networking connections.

ERROR 50 - The request is not supported.

600 - An operation is pending.

601 - The port handle is invalid.

602 - The port is already open.

603 - Caller's buffer is too small.

604 - Wrong information specified.

605 - Cannot set port information.

606 - The port is not connected.

607 - The event is invalid.

608 - The device does not exist.

609 - The device type does not exist.

610 - The buffer is invalid.

611 - The route is not available.

612 - The route is not allocated.

613 - Invalid compression specified.

614 - Out of buffers.

615 - The port was not found.

Network Cable Unplugged Errors in Windows

2008-07-29T23:23:00.000-07:00

Network Cable Unplugged Errors in Windows

If your network is not functioning properly, you may see "A Network Cable Is Unplugged" messages appear repeatedly on the Windows desktop. Messages may pop up on the screen once every few days or even once every few minutes depending on the nature of the problem. This can occur even if you are using a WiFi wireless network. How can this problem be fixed?
-------------------------------------------------------------------------------------
Several possible causes of "A Network Cable Is Unplugged" messages exist. The error message appears on a computer when an installed Ethernet adapter is seeking to make a network connection.

Disable the Ethernet network adapter if you are not using it. This applies, for example, when running a WiFi home network with computers that have built-in Ethernet adapters. To disable the adapter, double-click the small Network Cable Unplugged error window and choose the Disable option.

Check both ends of the Ethernet cable connected to the adapter to ensure they are not loose.

Replace the Ethernet cable with a different one to verify the cable is not damaged.

Update the network adapter driver software from the manufacturer's Web site.

Change the Link Speed and Duplex settings (using Device Manager) to use "100 Mbps Full Duplex" or "10 Mbps Full Duplex" instead of Auto Detect.

Replace the Ethernet network adapter if it is a removable PCI or PCMCIA card. First remove and re-insert the existing adapter hardware to verify the card is connected properly. If necessary, also replace it with a different card.

The device your Ethernet adapter is connected to, such as a broadband modem or network router may be malfunctioning. Troubleshoot these devices as needed

why my system restarts frequently?

2008-07-24T00:45:00.000-07:00

Baby, It's Hot in There
Sometimes this can be caused by an overheating situation. Itunes, RealPlayer, Windows Media player, etc. require a lot of processing power to decompress and decode music files, which can cause the processor or hard drive to get hot.

If your CPU is running at over 60 degrees (C) you might be at risk of burning it out. Some systems shut down automatically when the temperature reaches an unsafe level. Every few weeks I open my system unit and clean the fins on the heat sink that sits under the CPU. When they collect dust it restricts the airflow and prevents proper cooling. You can use a can of compressed air (look at your local office supply store) or an old toothbrush. I just did that on my system and the CPU temperature dropped by ten degrees!

Download the free Speedfan utility and it will tell you the temperature at which your CPU and hard drives are running.

Memory Fails Me...
If you determine that overheating is not the problem, the most likely suspect is bad memory. Trying to access a bad spot in your system memory (RAM) can cause the computer to freak out and restart. The best way to find the culprit is to pop open the system unit, remove (or replace) one RAM stick and see if the problem is solved. Run your system for a while and if the problem goes away, you win! If not... lather, rinse and repeat for each RAM stick until you find the one that's misbehaving.

Don't Do Me Any Favors
There's a setting buried in Windows XP that tells your computer to restart when a system error occurs. If you turn off that option, you may solve your automatic reboot problem.

Click Start, then open Control Panel

Click Performance and Maintenance

Click System

Click on the Advanced Tab

Click Settings in the Startup and Recovery section

Uncheck Automatically Restart in the System failure section

Note that this may prevent the system from restarting, but it can also mask the true problem. As an alternative to this measure, consider what has recently changed on your system. If you have installed new hardware or software, remove it and see if the annoying restart persists. Sometimes downloading the latest driver software from the manufacturer's website will fix hardware incompatibility problems that cause restarts.

Computer Restarts After Download?
Some folks have written to me complaining that their computer automatically restarts itself after every download. And interestingly, most (if not all) mentioned they were using the Firefox browser. If you are using a download manager or download accelerator, this could be causing the problem. Check all the settings in the download manager and tweak if necessary. Or get rid of the download manager and see if the problem remains.

This can also be a virus or spyware problem. I suggest you go through your Control Panel / Add or Remove Programs list and remove any programs you don't need, then run thorough anti-virus and anti-spyware scans. It could even be your anti-virus program fighting with the browser or download manager. Switching to a new anti-virus might help also. See my recommendations for the best free anti-virus software for help with that.

Other Things to Consider
Failing or under-rated power supplies can also cause your computer to restart at seemingly random intervals. Switching out a power supply is really not too hard. Turn off the computer, open the case, disconnect the power cable from the power supply to the motherboard. Unscrew the power supply from the case, and reverse the process to install a new power supply. A 300-watt power supply will be fine in most computers.

And as one reader kindly pointed out, bad capacitors on the motherboard can also cause random reboots. But unless you're kinda geeky and handy with a soldering iron, it's tough to identify and fix this problem. You can find lots more helpful info on bad capacitors at badcaps.net. For most mere mortals, replacing the motherboard as a last resort will be easier than replacing a capacitor.

I also encourage you to read ALL of the comments below, before you rip your hair out, or rip your computer to shreds. It boils down to this... most restart problems are caused by overheating, bad ram, malware, or some other failing component. It can be difficult and time-consuming to identify WHICH of those things is the culprit. The only good solution is to test each one, in sequence (removing and replacing components if necessary), to identify the problem.

how to save life of the battery of Vista operated Laptop?

2008-04-15T11:00:00.000-07:00

Now a days those who by Laptop computers they are using Windows Vista Operating System.

In this WindowsVista there is Aerouser interface, Windows Slidebar features. Because of this bettery life gets down.

so go for this url http://www.codeplex.com/vistabattery there will be a programme named vista Battery saver download that programme it will give u a different type of power files that u can install in u'r laptop . this will give good backup for the batt
ery

Use this for changing XP boot screen

2008-04-15T10:39:00.000-07:00

Now a days all are using some sharewares that change the boot screens.

But after unsinstallong these there is a way of not booting also and the system kernell may be currupted.

There is a good way to solve these

use http://www.stardock.com/products/bootskin/index.asp

in this url you can get Bootskin programe for free.

after installing it go to http://www.wincustomize.com/Skins.aspx?LibID=32 for getting screens

Hide RunAs option in Context menu after right clicking an application

2008-04-14T10:38:00.000-07:00

you all know when u run an application by your mouse right click like this

this options appear so to desable these options u can modify registry like this

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer

go to Hide RunAsVerb

create a DWORD and give the valu as 1
then u can remove Runas option in context menu

u can see Run only

Puper (virus or Torjan) showing video of former pakisthani prime minister benezer Butto killing

2008-04-03T03:12:00.000-07:00

This is a trojan detection. Unlike viruses, trojans do not self-replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Characteristics

A new variant of the Puper trojan has been observed which is part of a threat that attempts to spread on the premise that it offers a codec to see a video of the suicide attack that killed Pakistani Prime Minister Benazir Bhutto. For more information on this threat, please see the Avert Blog.

--------------------------------------------------------------------------------
The Puper family of trojans are used to modify the internet explorer home page and search page in addition to monitoring internet usage.

The Puper trojan monitors its own processes and will continually execute them to ensure they stay in memory. Additionally it will launch every time explorer.exe gets launched.

This trojan may drop hpxxxx.tmp where xxxx is random characters. This file will be detected as puper.dll and is responsible for the start page and search page behavior.

The file hhk.d is responsible for masking the presence of registry keys created by the puper trojan.

System Changes

Files Added
%SystemDir%\intmon.exe (2 KB)
%SystemDir%\hp8af9.tmp (51 KB)
%SystemDir%\hhk.dll (6 KB)
Please note that the hp8AF9.tmp filename is hp + four random characters + .tmp
Registry

The following registry keys are created:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\policies\Explorer\run
"notepad2"=%original file%
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objects\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\Explorer\Browser Helper Objecta\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"(default)"="http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
"provider"=""
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "CustomizeSearch" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search "SearchAssistant" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Search_URL" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Use Search Asst" = "http://www.oneclicksearches.com/search.php?qq=%1"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Bar" = "http://www.oneclicksearches.com/bar.html"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Default_Page_URL" = "about:blank"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Enable Browser Extensions"="Yes"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\HELPDIR "" =" C:\WINDOWS\System32\"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\FLAGS "" = "0"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0\0\win32 "" = "C:\WINDOWS\System32\hp8AF9.tmp"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}\1.0 "" = "VM HomePage Type Library"
HKEY_CLASSES_ROOT\TypeLib\{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "Version" = "1.0"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\TypeLib "(default)" = "{1E1B286C-88FF-11D2-8D96-D7ACAC95951F}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid32 "" = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F}\ProxyStubClsid "" = "{00020424-0000-0000-C000-000000000046}"
HKEY_CLASSES_ROOT\Interface\{1E1B2878-88FF-11D2-8D96-D7ACAC95951F} "" = "IHomePage"
HKEY_CLASSES_ROOT\HP.1\CLSID
"default"="{f8e5c210-f232-427b-92ee-b5a6ce622951}"
HKEY_CLASSES_ROOT\HP.1
"default"="HP Class"
HKEY_CLASSES_ROOT\HP\CurVer
"default"="HP.1"
HKEY_CLASSES_ROOT\HP\CLSID
"default"="{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
HKEY_CLASSES_ROOT\HP
""="HP Class"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\VersionIndependentProgID
"" = "VMHomepage"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\TypeLib
"" = "{f8e5c210-f232-427b-92ee-b5a6ce622951}"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\Programmable HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\ProgID "" = "VMHomepage.1"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32 "ThreadingModel" = "Apartment"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}\InprocServer32
"(default)"="C:\WINDOWS\System32\hp8AF9.tmp"
HKEY_CLASSES_ROOT\CLSID\{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} "" = "HP Class"
HKEY_CLASSES_ROOT\CLSID\VMHomepage.1
HKEY_CLASSES_ROOT\CLSID\VMHomepage
"CurVer" = "VMHomepage.1"
HKEY_CLASSES_ROOT\CLSID\VMHomepage
"CLSID" = "{FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA}"
The following registry keys are modified:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Local Page" = "http://www.oneclicksearches.com/"
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Search Page" = "http://www.oneclicksearches.com/search.php?qq=%1"

Symptoms -

Presence of the files and registry entries referenced above.

Additionally the start page and search page may be reset when changed and there may be performance degradation due to the continual launching of the trojan binaries.

Method of Infection
Method of Infection -

Trojans do not self-replicate. They are spread manually, often under the premise that the executable is something beneficial. Distribution channels include IRC, peer-to-peer networks, newsgroup postings, etc.

However they may themselves be downloaded by other viruses and/or Trojans to be installed on the user's system.

Many of these additionally are mass spammed by the author to entice people into double-clicking on them.

Alternatively they may be installed by visiting a malicious web page (either by clicking on a link, or by the website hosting a scripted exploit which installs the trojan onto the user's system with no user interaction

Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob

2008-04-03T03:03:00.001-07:00

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob
Characteristics
Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe
Symptoms
The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection
The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov.
hotmail iana ibm.com
icrosof ietf inpris isc.o
isi.e
kernel linux math mit.e, mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secure sendmail sopho syma tanford.e, unix usenet utgers.ed, Additionally,
the worm contains strings,
which it uses to randomly generate,
or guess, email addresses. These are prepended as user names to harvested domain names:

sandra, linda ,julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.

W32/Zhelatin.gen!eml

2008-04-03T02:56:00.000-07:00

This is a generic detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.
On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
The script which is used for the drive-by download is detected as JS/Downloader-BCZ.

Characteristics -
This threat is updated on a daily basis.
For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.

User receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard.
On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.
A copy of the spammed message is as follows:
Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected.
The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.The following list of subject lines have been observed in the wild:

You’ve received a greeting card from a admirer!
You’ve received a greeting card from a class mate!
You’ve received a greeting card from a class-mate!
You’ve received a greeting card from a colleague!
You’ve received a greeting card from a family member!
You’ve received a greeting card from a friend!
You’ve received a greeting card from a mate!
You’ve received a greeting card from a neighbor!
You’ve received a greeting card from a neighbour!
You’ve received a greeting card from a partnerCustomers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal - A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations

what iis Sohanad.AE

2008-04-01T11:21:00.000-07:00

Sohanad.AE is a worm. The worm will infect Windows systems and spreads through Yahoo! Messenger, a popular instant messaging application.

The worm arrives as a downloaded file via Yahoo! Messenger.

Upon execution, this worm copies itself as SVHOST32.EXE and SVHOST.EXE in the Windows folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger.

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager.

It also changes the Internet Explorer (IE) home page to;

http://(BLOCKED)coolpics.net

This worm propagates via Yahoo! Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.

The details of the message sent out by this worm are;

Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon ;))
:D who is beside you in this pic http://thecoolpics.net/friendpic1.jpg so good-looking
:( the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg << :(
Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !! <<
oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<

It also attempts to connect to the following website to download and execute some malicious files.

http://{BLOCKED}vey-sales.com/ipn/transactions/en.exe
http://{BLOCKED}vey-sales.com/ipn/transactions/link-en.exe

The worm tries to terminate some of the security related processes.

This worm first appeared on November 12, 2006.

what is Nhatquanglan Virus?(newfolder.exe, dos.com)

2008-04-01T11:07:00.000-07:00

A Nhatquanglan Virus?

Sit along with me as you discover what are the three filesjavascript:void(0)
Publish Post that make up a Nhatquanglan virus infection and how you can protect yourself from a possible threat to your personal security. A Nhatquanglan Virus is a really annoying virus that takes away your power over your PC by blocking important programs from running.

It disguises itself as a folder but is actually a program that sends out your personal information over the internet for everyone to see. You may or may not have a Nhatquanglan virus on your PC yet, but to be safe, it would be wise for you to discover how it can affect you and ways on how to protect yourself.

When you forgot to take care, below are just some of the ways this virus can affect you.

Nhatquanglan Virus blocks Device Manager

Device Manager is the page where you manage everything that is connected to your PC. This includes hard disk drives, modems, printers, monitors - you name it, it’s there. You use this to replace old software that makes a particular computer part work, or to change hardware settings, add a new piece of hardware, or to stop it from working completely and more.

Aside from this, Device Manager is usually the place where tech support tells their clients to go when dealing with problems with their PC’s. When you are infected by a Nhatquanglan virus, all your power to change the settings of the peripherals on your PC is gone. Now, when a modem does not work, you cannot check what is wrong with it - and you can’t connect to the internet either.

Nhatquanglan Virus and Task Manager

Aside from not letting you use your PC’s Device Manager, there are other ways that this virus can give you a hard day. When your PC is infected with a Nhatquanglan virus, and a program that you are using has crashed or hanged, you no longer have the power to “kill” the offending program because the Nhatquanglan will not let you use Task Manager - one of the useful tools included with your Windows installation.

Because you cannot use Windows Task Manager, you cannot lock your PC everytime you take a break - making it possible for everyone to look at what you are doing. There are other ways that a Nhatquanglan virus can give you a bad day and some of it, you might not want to know.

Let’s not talk about how annoying a Nhatquanglan virus is anymore - I think you already have an idea. If you want more, here is a list of annoyances it can give you - or you can just say goodbye to these problems by getting rid of a Nhatquanglan virus right now.

* It does not allow you to run Regedit to change Windows XP registry settings.
* It will not allow you to run the Command Prompt, where some of the more important Windows XP commands can only be used.
* It will not allow you to change File Type Extensions. Too bad, you can use this tweak to make Microsoft Excel 2007 start faster.
* You cannot change a folder to be hidden or not - you just cannot do that because it takes away the Folder Options.
* It can infect other PCs as well - annoying if you are on a network. It can also transfer itself to thumb drives (Ipods, Flash disks, etc).

Nhatquanglan Virus Files

There are files that you need to remove for you to get rid of a Nhatquanglan virus infection. And they are:

* blastclnnn.exe
* scvshosts.exe
* hinhem.scr
* New Folder.exe

Did you know that you can do a simple test to see if your PC is infected with a Nhatquanglan virus? And as you go along reading this article, you’ll find out for yourself.

For you to be protected, I believe that it is important that you know more about this virus - this will give you the necessary information you need in case you or your friend do get infected.

You have already discovered how a Nhatquanglan virus can annoy you. Now discover how this virus works…
How A Nhatquanglan Virus Ruins Your Day

The Nhatquanglan disguises itself as a folder inside the folder that it has infected. Too confusing? Let me put it this way: Suppose you have a folder named CLEAN. The virus will make copies of itself on the CLEAN folder using CLEAN as its name. Now, you have a program named CLEAN on the CLEAN folder.

Here’s a tip: To tell if it’s a program and not a real folder, hover your mouse over it and look at the tool tip that pops up.

If it’s a real folder, it must not show the word “File Version:” If it does, do not open or double click it!! That might be a Nhatquanglan virus!

Nhatquanglan Virus Removal Instructions

What I am about to reveal to you is how I got rid of a Nhatquanglan infection using only one free tool that you can download over the Internet.

This fix worked for me but yours may vary - use the guide I am about to give at your own risk. Or, avail of those software that scans your PC for viruses and have it scanned for you.

To start, you need to have a copy of ComboFix saved on your PC. ComboFix scans your drive for possible infections and tries to delete the three hidden files that the Nhatquanglan uses to make copies of itself. ComboFix is a free tool.

Avail of your copy and save it on your hard drive and remember where you saved it. For this guide, I am assuming that you have saved it on the C:\ drive.

Restart your PC in Safe Mode. You do this by pressing the F5 key when your pc starts. You need to use Safe Mode with Command Prompt. Don’t mind the list of files that Windows Xp loads as it starts.

Now, while at the Command Prompt, you need to use the ComboFix program by typing (without the quotes): “combofix”And hitting the Enter key.ComboFix will now do its job - scanning your PC for Nhatquanglan infections. Just follow what ComboFix says. After it finishes, the file which shows you what ComboFix had done will open up.

You may read it if you like, but most of them are jargons. Hopefully, Combofix has cleaned your PC of a Nhatquanglan virus infection - but to be sure you need to do some last minute cleaning.

I’ll reveal to you what you should do…

Go to the Command Prompt and do the following (without the quotes), hitting the Enter key after each command:

“cd \”

“del c:\windows\system32\scvshosts.exe”

“del c:\windows\system32\blastclnnn.exe”

“del c:\windows\hinhem.scr”

What you just did is deleted the three Nhatquanglan files. Take note of the spelling specially scvshosts.exe. This is different from svchost.exe which is an important Windows XP file!

You also need to remove a task that is scheduled by the Nhatquanglan virus. This virus adds one task to the Task Scheduler - so everytime you open up your PC, it executes this task, which is to make copies of itself. This is how it manages to appear again and again even if you managed to delete the three nhatquanglan files: scvshosts.exe, blastclnnn.exe and hinhem.scr. To remove the scheduled task, you need to take a peek at the lists. You do this by going to the Command Prompt and typing the following command (without the quotes):

“cd \”
“cd windows\tasks”
“del *.job”

Note: The last command above deletes everything in the Windows\Tasks folder. If you have tasks scheduled and you do not want them to be deleted, you need to manually check each one. A scheduled task that has scvshosts.exe as the program to be performed, needs to be deleted.

When all is ok, you may now restart your PC. Hopefully, you can now use the Task Manager, Device Manager, Folder Options and other commands in Windows XP. Remember the trick I told you about on how to see if there is a Nhatquanglan virus on your PC? I’ll reveal it to you now…

As a preventive measure, you might want to change how your files show when you explore them on your PC. Set them to Details.

That’s all there is to it. Now, when you glance at the folder name, also take a look at its Type column. If the picture of the folder is a folder but under the Type column it reads Application, you might want to reconsider opening it. It might be a virus… just waiting to pounce on you.
Tips On How to Prevent Future Virus Infections

After you have successfully removed a Nhatquanglan virus infection, it would be wise to take extra measures to prevent this virus from infecting your PC again. A simple change in surfing habits - such as looking out for suspicious sites, can dramatically decrease your chance of getting one of these viruses.

A Nhatquanglan virus can also spread itself via your thumb drive such as an Apple Ipod, etc. Speaking from experience, I would recommend that you install reliable software that monitors and protects your PC from viruses.

Your best bet would be an anti-virus and a firewall. The anti-virus is to help detect a virus as it moves, giving you the option to delete it or put it in a quarantine so it won’t infect other files.

A firewall blocks suspicious incoming connections to your PC - pretty much how a Nhatquanglan managed to infect your PC. Having a copy of an anti-spyware/malware can also help a lot.

Tool for opening task manager and regisryeditor when virus effects

2008-04-01T10:50:00.000-07:00

If your systems Task manager ,Registry are disabled by any Viruses such as sohanand,Nhatquanglan i.e,, Heap41 virus and Newfolder.exe you can use the following tool for recovering the teask manger and registry

http://luqsoft.com/diskheal

after using this tool u must remove that virus.this tool is only for recovering the required TskManager and regedit

W32/Mytob.gen@MMType Virus

2008-03-30T00:29:00.000-07:00

W32/Mytob.gen@MMType Virus SubType Email Generic Discovery Date 03/02/2005 Length Varies Minimum DAT 4438 (03/02/2005) Updated DAT 5249 (03/11/2008) Minimum Engine 5.1.00 Description Added 03/02/2005 Description Modified 05/18/2005 12:08 PM (PT) Type
Type of threat.
SubType
Additional type information.
Discovery Date
Date that AVERT discovered this threat.
Length
File size, in bytes, of the threat.
Minimum DAT
McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.
Updated DAT
McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.
Minimum Engine
The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.
Description Added
Date/time this description was published using Pacific Time.
Description Modified
Date/time this description was last modified using Pacific Time.
Risk Assessment
Corporate User Low
Home User Low Tab Navigation
Overview Characteristics Symptoms Method of Infection Removal Variants All Information Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob Characteristics

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe
Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants
Variants
N/A

All Information
Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases
Net-Worm.Win32.Mytob (AVP) W32.Mytob W32/Mytob
Characteristics
Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d) 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249) 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40) These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Error Status Server Report Mail Transaction Failed Mail Delivery System hello hi Body: (Varies, such as)

The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. The message contains Unicode characters and has been sent as a binary attachment. Mail transaction failed. Partial message is available. Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

examples (common names, but can be random) doc.bat document.zip message.zip readme.zip text.pif hello.cmd body.scr test.htm.pif data.txt.exe file.scr In the case of two file extensions, multiple spaces may be inserted as well, for example:

document.htm (many spaces) .pif When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run "LSA" = wfdmgr.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices "LSA" = wfdmgr.exe Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe HKEY_CURRENT_USER\Software\Microsoft\OLE
"LSA" = wfdmgr.exe

Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

wab adb tbb dbx asp php sht htm txt pl The worm avoids certain address, those using the following strings:

.gov .mil abuse acketst arin. avp berkeley borlan bsd example fido foo. fsf. gnu google gov. hotmail iana ibm.com icrosof ietf inpris isc.o isi.e kernel linux math mit.e mozilla msn. mydomai nodomai panda pgp rfc-ed ripe. ruslis secur sendmail sopho syma tanford.e unix usenet utgers.ed Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

sandra linda julie jimmy jerry helen debby claudia brenda anna alice brent adam ted fred jack bill stan smith steve matt dave dan joe jane bob robert peter tom ray mary serg brian jim maria leo jose andrew sam george david kevin mike james michael john alex Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

mx. mail. smtp. mx1. mxs. mail1. relay. ns.
Removal -
Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

You may be a victim of software counterfeiting.

2008-03-30T00:18:00.000-07:00

You may be a victim of software counterfeiting.

Microsoft has finally activated the most aggressive part of their Windows Genuine Advantage program -- active notifications.

After downloading the latest Windows updates, if your Windows cd-key doesn't validate against Microsoft's online database of cd-keys, you may be greeted with this unpleasant five-second mandatory delay dialog at the login page:

This copy of Windows is not genuine. You may be a victim of software counterfeiting. This copy of Windows is not genuine and is not eligible to receive the full range of upgrades and product support from Microsoft.

On top of that, you get a repeating balloon notification that nags you periodically while you use the operating system:

You may be a victim of software counterfeiting. This copy of Windows is not genuine. Click this balloon to resolve now.

The warnings also get more dire as time progresses:

This copy of Windows is not genuine and you have not resolved the issue. This computer is no longer eligible to receive select security upgrades from Microsoft. To protect your computer, you must click Get Genuine now.

The language here is a little misleading. Microsoft is socially obligated to provide critical security updates to pirated machines. Otherwise those vulnerable machines will eventually be compromised and potentially used in denial of service attacks and other nefarious schemes. Microsoft does provide so-called "critical" updates to all Windows machines, regardless of whether or not they're genuine.

This is all courtesy of the mandatory "Windows Genuine Advantage Notification" service that is being delivered now through Windows Update. This isn't just a service you can disable, or a process you can kill in task manager, either. You'll have to install some kind of questionable third-party hack to get around it.

I suppose it's only malware if you're a pirate. What's a poor, beleaguered user to do? Microsoft offers five options:

1. Purchase a valid Windows XP cd-key online from Microsoft.
2. If you can produce high-quality counterfeit media, along with a proof of purchase, you can get a free replacement key from Microsoft.
3. Contact your reseller for redress.
4. Purchase Windows XP from a local OEM reseller.
5. Purchase Windows XP at a retail location.

Notice the word "Purchase" appears in three of those five options. There's almost no way to finagle a free cd-key out of this.

BIOS Explained

2008-03-08T03:14:00.001-08:00

BIOS Explained

Every computer has BIOS (Basic Input/Output System) that runs a diagnostic test each time the computer boots up. Before it launches the operating system, the BIOS checks to make sure all the hardware is working. It then works with the computer’s hardware components with the operating system.

The BIOS is stored in a ROM chip that is on your motherboard. PCs built in the past couple of years use flash BIOS, which means the BIOS is on a flash ROM chip. These chips are more easily updated than regular ROM chips. ROM is an ideal place for the BIOS because it is on a safe place on the motherboard where it is not vulnerable to drive failures. However, because ROM is slower than RAM, newer computers copy the BIOS from ROM to RAM during the startup process. This process is called shadowing, and it improves the performance of your PC.

The diagnostic test that the BIOS performs is a POST (power on self test) for the keyboard, drives, ports, chips, and all other components in the system to make sure they are working correctly. You can see and hear the BIOS performing this POST during your system’s startup process. One long beep means the BIOS successfully completed all the hardware tests. A combination of shorter beeps indicates a number of different errors. (See the Common Error Messages section for more information.) A healthy system BIOS will display information about the computer, including the amount of RAM, the number of drives, and the type of processor. If the BIOS detects a hardware problem, it will halt and display a text error messages on-screen. When this happens, you need to know how to fix or adjust your BIOS.

Time For A Change. When you have a BIOS problem, you will probably need to make changes in your BIOS’ settings. Even though this is easy and takes only a few minutes, making the wrong change can wreak havoc on your system. A problematic setting could prevent your computer from rebooting. Be very cautious and change nothing that isn’t necessary.

To change your BIOS settings, you must enter the computer’s CMOS (complementary metal-oxide semiconductor) setup screen during the startup process. CMOS is a small chip that stores information about your particular system and its devices.

To find the CMOS setup screen, reboot your computer. Start by pressing a certain keyboard combination during startup. You should see a line of text at the bottom of the display that tells you which key or keys you need to press to enter the CMOS or Setup area. (NOTE: You may have to completely shut down your system and turn it back on to see what this key combination is.) Most systems use ESC, DELETE, F1, F2, CTRL-ESC, or CTRL-ALT-ESC. If the screen doesn’t indicate which keys to press, the computer’s documentation should do so.

The screen will display several menus, each with rows and columns displaying options for changing dozens of settings. The wording is different according to each system and BIOS manufacturer. Here are some common settings and their definitions, although the names might be different in your CMOS:

System Time/Date: Lets you change the time and date displayed in the lower right corner of Windows.

Security or Password Protection: Lets you set a password for accessing the computer. Because Windows’ password screen is easy to avoid (you can press ESC or click Cancel), this BIOS option provides tighter security and requires you to enter the password before the system ever boots. Be sure to write down your new password because if you forget, it will take a great deal of work to access your computer again. (See the “Password Pains” sidebar for information on what to do if you do forget this password.)

Enable Number Lock: This setting is essential for anyone who uses the numbers on the 10-key section on the far right of the keyboard. However, if you don’t use the number pad, and you don’t like the little green light that comes on every time you boot up—the one that tells you the number lock is enabled—turn off this setting. (NOTE: You might find this option under the Start Options category.)

Memory: Because BIOS is on a relatively slow ROM chip, this setting lets you direct BIOS to shadow with RAM or a different memory source. (NOTE: You might find this option under the Advanced Setup category.)

Boot Sequence: This setting determines the order in which the BIOS reads drives in search of startup instructions. The BIOS traditionally begins with the hard drive. Change this setting to boot your machine from a CD-ROM or Zip disk when you reinstall the OS or use a boot diskette.

Exit: When you are ready to leave CMOS, you will have the options of saving the changes, discarding the changes, or restoring the system default settings. If you made changes, your computer will restart to put the new settings into effect. If you suspect that you’ve made a problematic change, exit without saving.

Upgrade. Newer computers rarely, if ever, need to have their BIOSes upgraded to work with new equipment. Both software and hardware upgrades typically come with drivers, software you install so the devices can work with your computer. Older computers, on the other hand, might need a BIOS upgrade to understand new hardware and software installed on the system. An upgrade will also have the ability to correct newly detected bugs.

To upgrade an old BIOS, start by reading the screen during startup and looking for the name of the BIOS manufacturer. If you don’t see the name of your manufacturer, go into the CMOS setup (see the above instructions). The very top of the CMOS screen should identify the BIOS maker. The largest manufacturers are Acer Labs, AMI (American Megatrends), Microid Research (Mr. BIOS), Phoenix Technologies, and Winbond.

You can also determine the manufacturer in Windows. In Windows 98 and Me, click the Start button, Programs, Accessories, System Tools, and then System Information. At the top of the left column, click System Summary. Then, you should see the BIOS Version line.

Next, find the version number of your present BIOS (if you can). This is a long string of digits and letters that flashes at the top of the screen during the first moments of start up. Press the PAUSE key to freeze the screen while you record the number. If you can find it, go back to the CMOS setup and find the BIOS date.

Go to the BIOS manufacturer’s Web site and find a BIOS upgrade program for your system. Look under a link called Free Downloads or Technical Support, then follow the instructions specific to your model PC. Upgrading BIOS can backfire if you install a version that is not compatible with your system. Thus, upgrade only when you are sure it is necessary and then do so carefully, double-checking that you are downloading the proper update. You may want to contact technical support before you install the file.

Be very careful once you enter the CMOS setup screen and start making changes. Incorrect settings could prevent the computer from rebooting.

Copy the program, including the update and utility, onto a diskette. Restart the computer with the diskette in the drive. The program should erase the old BIOS settings and install new ones. In addition, follow any manufacturer instructions for installing the software.

Fix. If you’ve tried troubleshooting a piece of hardware to no avail, the problem might be hidden in your BIOS settings. To find out, enter CMOS by pressing the correct keyboard combination during the startup process, as described above. Try these steps to correct poorly set BIOS. ( NOTE: The names for each setting might be different in your CMOS and/or you may not have some of these settings.)

The system is not detecting a new drive. Go to a CMOS setting called Drive Configuration, Hard Disk Settings, or even Devices And I/O Ports. It lets you configure the hard drives, CD-ROM drives, and diskette drives. PCs made in the past few years come with an automatic-detection program that enters configuration data into CMOS. If your system is older than that, or if you installed a drive your system is not detecting, enter the drive information manually to prompt your system to detect it. You do this in CMOS, where your drive information is located. This area is often called Drive Configuration, Hard Disk Settings, or something along those lines. There will be an option where you can choose between manual detection and automatic detection.

Diskette drive problems. If you are encountering mysterious diskette drive problems, go into the Diskette Disk or Devices And I/O Ports settings. Make sure it shows the type of drive in your A and B ports. For example, if your port has a drive for a 3.5-inch diskette or a 1.44MB diskette, the BIOS setting should reflect that information. If your computer is refusing to save data onto a diskette, make sure the Floppy Read Only setting is disabled. This setting prevents you from writing data to a diskette.

Trouble installing a mouse. If you’ve plugged in a mouse or other serial device and it is not responding, go to Serial Port Settings. This setting might have the port turned off or labeled as Disabled.

Printer woes. A new printer that is running slowly or refuses to work at all might be the victim of the wrong mode setting of its parallel port. Find a group of settings called Parallel Port or Parallel Port Setup. They will give you choice of four modes that determine the speed and transmission capabilities of the parallel-port connection: standard, bi-directional, ECP (extended capabilities port), or EPP (enhanced parallel port). Printers made several years ago use the slower, standard mode and may not work if plugged into a port set to a fast mode. Similarly, new printers may not function unless you set their ports to ECP.

Common Error Messages. Many other common BIOS problems will probably disturb your PC at one time or another. Many of these quirks will happen during the startup process. If the BIOS detects a difficulty during startup, the screen will display an error message or the system speaker will emit a combination of beeps to help you narrow down the irregularity. The computer’s documentation and BIOS manufacturer’s Web site should list dozens of codes and their meanings. Here, we translate common beep codes and error messages, although they may not be the same for your system. ( NOTE: To fix any of these problems, you may need to check with your computer’s BIOS manufacturer.)

CMOS Checksum Error —BIOS thinks a virus, dying battery, or other anomaly has changed a CMOS setting without your knowledge. This can happen when you flash the BIOS. Go into CMOS, restore the old settings, and reboot the computer. If the error does not recur, run an antivirus program just in case a bug has changed the CMOS settings. If the error does recur, replace the battery. This battery is important because it keeps the BIOS safe from power outages. Just open up the case and replace the battery. Don’t worry about losing information; it takes some time before the battery drains. However, you should replace the battery as quickly as possible.

Battery State Low—You don’t need to go into CMOS because this error specifies the problem. Open the case and replace the battery.

Diskette Drive A Error or Incorrect Drive A Type—Cables connected to Drive A might be loose. Turn off the computer, ground yourself, open up the case, and tighten cables leading to Drive A. If the message comes back when you reboot, go into CMOS to confirm you have the drive properly configured.

Keyboard Error— There is probably a loose cable between the keyboard and CPU. Tighten every cable and reboot your system. “Keyboard Error NN” indicates a key is stuck.

Diskette Boot Failure—If you’re trying to boot up from a diskette, the BIOS thinks the diskette is corrupted or has a virus. Try to boot up another computer with this diskette to learn whether it’s truly corrupted or whether your computer is to blame.

Display Switch Not Proper—A video switch (physical circuitry) on the motherboard should be set to color, but it is set to monochrome or vice versa. Turn off the machine, change the switch on the motherboard, and reboot.

KB/Interface Error—The keyboard connector is malfunctioning.

FDD Controller Failure—BIOS cannot communicate with the diskette drive controller.

HDD Controller Failure—BIOS cannot communicate with the hard drive controller.

DMA Error—The Direct Memory Access controller is malfunctioning.

One short beep—There is a problem with the memory refresh circuits on the motherboard.

Five short beeps—The CPU is indicating an error.

Eight short beeps—The video card (also called graphics card or video adapter) is missing, is not responding to the BIOS POST, or has faulty memory.

One long and three short beeps—The monitor or video RAM has failed. If you confirm these devices are functioning properly, check other parts of the video system.

Don’t Be Afraid; Be Careful. If you have a BIOS error or BIOS-related problems, don’t be afraid to try to fix the problem. If you ever foul up your system even more, reboot it while holding down the key or keys used to enter setup. This bypasses extended CMOS settings and is the first step in getting your PC up and running again. Once you get to the Setup menu, you can reload the original factory settings by choosing Load Values From CMOS. However, remember that changes you have made to the BIOS since you bought the PC, including adding storage devices, will not be reflected in these values. In addition, sometimes you can make changes that will prevent your system from rebooting again, so just be careful.

by Raya Tahan

Password Pains

Many users take advantage of the extra security settings offered in the BIOS (Basic Input/Output System). Although a computer thief or unscrupulous co-worker could easily get past your Windows password, he would have infinitely more difficulty cracking a password set in the BIOS. The downside to having this higher level of security is you will lock out yourself if you forget your password.

A CMOS (complementary metal-oxide semiconductor)-set password will cause the system to prompt you for the password during every startup, before it launches the operating system. If you lose your password or it suddenly does not work, you could have a big problem.

The first thing to do is to try to find a default or backdoor password that works with your brand of BIOS. Most major BIOS manufacturers program their chips to work with certain words as a password. Try typing the name of the manufacturer in as your password. For example, your might try “AMI,” “Award,” or “Mr Bios.” Some manufacturers set the default password to be a common word such as, “bios,” “setup,” “cmos,” “password,” “sw,” “SW,” or “BIOSTAR.”

If those don’t work, contact the maker of your PC, motherboard, and BIOS to ask whether a default password exists. If so, they should reveal it to you when you provide a receipt to show you own the PC.

If the manufacturer will not help, you must open up the case and make physical changes to the motherboard. Always unplug the computer and ground yourself by touching metal.

The motherboard manual might list a jumper that clears the present CMOS password. If this is the case, just reset the jumper and boot up your personal computer.

If your motherboard lacks this setting, you probably have to use a different motherboard jumper that resets the entire contents of the CMOS program. Find a jumper that has three pins adjacent to the battery. Reset CMOS by moving the jumper from 1-2 to 2-3, or from 2-3 to 1-2. If you had gone into CMOS and manually configured the date, time, disk drive detection, and other settings, you’ll have to do that all over again once you can get into your computer.

If your motherboard has no reset jumper whatsoever, your last resort is to erase the BIOS settings by physically pulling the CMOS battery off the motherboard. It’s a small, round battery, usually sitting near the power connector. Remove it from the board and keep it off for several hours because it takes that long for the charge to drain out of the CMOS circuits.

If your CMOS battery is soldered down to the motherboard, you should probably have a technician replace it.

Note: This compilation of information are from various sources. All credit due to its authors.
XP Support- 01/01/2005 12:42 AM - Home Page WinXP
© Copyright Kelly Theriot MS-MVP(DTS) 2005. All rights reserved.

Error Message with RAM Problems or Damaged Virtual Memory Manager

2008-03-08T03:07:00.001-08:00

SYMPTOMS
When your computer restarts after you install Windows XP Home Edition, you may receive either of the following error messages:
System has recovered from a serious error
DRIVER_IRQL_NOT_LESS_OR_EQUAL

CAUSE
This behavior may occur if either of the following conditions exist:
• One or more of the random access memory (RAM) modules that are installed in your computer are faulty, or the memory modules are not compatible with the chip set on your computer mainboard.
• The Page file that is used by the Virtual Memory Manager may be damaged.

RESOLUTION
To resolve this issue:
1. Make sure that the memory modules in your computer are compatible with the chip set on your computer mainboard.

If you change your RAM, test to determine if the issue is resolved. If the issue is resolved, do not complete the remaining steps. If the issue is not resolved, go to step 2.
2. Click Start, right-click My Computer, and then click Properties.
3. Click the Advanced tab.
4. Under Performance, click Settings.
5. Click the Advanced tab.
6. Under Virtual Memory, click Change.
7. Click No paging file. Click OK, click OK, and then click OK.
8. Restart your computer.
9. Click Start, right-click My Computer, and then click Properties.
10. Click the Advanced tab.
11. Under Performance, click Settings.
12. Click the Advanced tab.
13. Under Virtual Memory, click Change.
14. Click System managed sized. Click OK, click OK, and then click OK.
15. Restart your computer.

Removing the Happy99.exe Virus/Worm

2008-03-08T03:03:00.000-08:00

This virus or worm as it is better described is attached to newsgroup and e-mail messages as an attachment called Happy99.exe. You cannot get infected with this virus just by reading a newsgroup or e-mail message. You have to execute the attachment by opening it. Generally, the person who sent it does not know that they are sending it out. If you didn't execute the attachment, you can just delete it and move on. If you execute an infected attachment, it will display a firework display, once its been activated every email you send will have the file attached. When someone else opens it, the virus spreads and the destruction continues.

Here's how Happy99.exe infects your system:

It will create two files in the Windows System folder, SKA.EXE and SKA.DLL. SKA.EXE will be a copy of HAPPY99.EXE. It will copy the original WSOCK32.DLL to WSOCK32.SKA. Then it will modify WSOCK32.DLL without changing its size so it will try to run SKA.DLL while posting to Usenet and sending E-Mail. The SKA.DLL file will silently attach HAPPY99.EXE to a second copy of outgoing newsgroup and e-mail messages with a barely noticable delay.

It does not modify any other file besides WSOCK32.DLL. WSOCK32.DLL is a regular part of Windows that provides a connnection to the Internet. If it is unable to modify WSOCK32.DLL, then it will add SKA.EXE to the RunOnce section of the registry and WSOCK32.DLL will be modified next time the computer starts. It will still create WSOCK32.SKA even if it is unable to modify WSOCK32.DLL. This virus will keep a list of message recipients in the file LISTE.SKA in the Windows System folder. It will try not to send the Happy99.exe file twice to the same person.

Since it gets passed along a lot, a different virus could attach to HAPPY99.EXE somewhere along the way. Without SKA.DLL and SKA.EXE, the modified WSOCK32.DLL cannot perform any viral action. However using a modified WSOCK32.DLL could cause problems while on the Internet. The most common problem that has been reported is invalid page faults, but these can have other causes. Restoring the original WSOCK32.DLL will correct these problems.

This virus does not affect Macs, DOS, Windows 3.x, OS/2, Linux or WebTV. However, someone using one of those could pass it along manually, for example by forwarding the message. Under Windows NT it will create SKA.EXE, SKA.DLL, and WSOCK32.SKA but will fail to add itself to the registry or modify WSOCK32.DLL. If you have NT, you don't have to follow the removal steps; you can simply delete SKA.DLL and SKA.EXE from inside Windows NT if you would like.

Some people have asked whether it is always called HAPPY99.EXE. This virus doesn't contain any code to change the name. However, it would be simple for a person to change it to anything they like.

It contains the encrypted text:

"Is it a virus, a worm, a trojan? MOUT-MOUT Hybrid (c) Spanska 1999."

Automatic Removal of Happy99.exe

Download the following file, unzip it and run it in Windows95 or Windows 98 by double-clicking on it. This small program will perform the steps seen in the manual removal method with no user intervention. Once the program is run, your system will want to reboot. This must happen to completely remove the happy99.exe worm.

Craig Schmugar's Happy99Cleaner program (click to download)

Another Happy99.exe Remover (click to download)

Manual Removal of Happy99.exe

Steps marked optional are not absolutely necessary and are completely safe to skip. If you're not comfortable with DOS, get someone knowledgable to help you with this. I cannot make guarantees of perfect safety since its a manual removal, Perform these at your own risk. If you have Windows NT, you don't have to follow the removal steps.

1. Click Start, then Shut Down, then "Restart Computer in MS-DOS mode", then click Yes. It's important to exit Windows in order to be able to replace the file WSOCK32.DLL which Windows normally has in use.

2.At the DOS prompt type this exactly and press enter at the end of each line:

CD \WINDOWS\SYSTEM

3. Delete SKA.EXE and SKA.DLL by typing

DEL SKA.EXE
DEL SKA.DLL

If you get "File not found" you're either not infected or in the wrong directory. Make sure you're in your Windows System directory; check to see if you followed step 2 exactly.

4.Copy WSOCK32.SKA to WSOCK32.DLL by typing

ATTRIB -R WSOCK32.DLL
COPY WSOCK32.SKA WSOCK32.DLL

Answer "Yes" if it asks if you want to overwrite WSOCK32.DLL.

WSOCK32.SKA is a backup of the original WSOCK32.DLL. You are replacing the modified DLL with the original. If you get a "Sharing violation" make sure you followed step 1.

5.Optional Delete WSOCK32.SKA by typing

DEL WSOCK32.SKA

You can leave WSOCK32.SKA on your system. It is a copy of your original WSOCK32.DLL Do not delete WSOCK32.SKA if you are unable to replace WSOCK32.DLL with WSOCK32.SKA.

6.Return to Windows by typing

EXIT

7.Optional Delete Windows Registry Key.
Click Start, then Run, then type regedit in the text box, then click OK. Click HKEY_LOCAL_MACHINE, then Software, then Microsoft, then Windows, then CurrentVersion. Under RunOnce check for SKA.EXE and select it if it is there. Press delete and then click Yes. Close Regedit. Don't change anything else without making a backup of the registry first. If you don't find SKA.EXE in the registry, it doesn't mean you're not infected. SKA.EXE is only added to the registry if HAPPY99.EXE is unable to modify WSOCK32.DLL when you run it. Also, you'll only find it in the registry if you haven't rebooted since you ran HAPPY99.EXE.

8.Optional Choose Start, Programs, Accessories, Notepad, choose File, then Open then type C:\WINDOWS\SYSTEM\LISTE.SKA in the File Name box. Warn the people on the list, then delete LISTE.SKA. Make it clear to the people you warn that they won't be infected unless they ran happy99.exe, to avoid alarming them unnecessarily. If you haven't sent out any infected e-mails, there won't be a LISTE.SKA.

9. Optional Delete the HAPPY99.EXE file. The location of HAPPY99.EXE will vary depending on where you saved it. You can delete it simply by dragging it to the Recycle Bin from within Windows or whatever method you prefer. You may still have some messages with HAPPY99.EXE attached in your mailbox. These cannot do anything unless you run them. You can delete them if you want to or just ignore them. 10.Optional If you aren't sure whether WSOCK32.DLL is infected, choose Start, then Find, then "Files or Folders". Then type WSOCK32.DLL in the "Named" box. In the "Look in" box choose drive C: or whatever drive you have Windows on. In the "Containing Text" box type "ska.dll" without the quotes. Then click "Find Now". If you don't find any files, that means that wsock32.dll isn't the modified version. If you don't have the modified WSOCK32.DLL, the virus has no way to attach to e-mails, even if you have SKA.EXE, SKA.DLL, and WSOCK32.SKA in the Windows System folder. If you have SKA.EXE in the RunOnce registry section, and you haven't deleted SKA.EXE, then the virus will try to modify WSOCK32.DLL the next time you restart the computer.

Make sure you type the instructions exactly including spaces and punctuation. You might want to print out the removal instructions so you have something to refer to. If you're having trouble with the DOS commands, get a local person to help you with them. It's hard to know exactly how you're typing the DOS commands and what your exact situation is without seeing it in person.

How to Fix SVCHOST.EXE Application Error 0x745f2780

2008-03-08T03:01:00.000-08:00

How to Repair this SVCHOST.EXE error
After some investigating into the 0X745f2780 SVCHOST error, it became apparent the problem is a corrupted Windows Update in Windows XP. Follow the steps below to fix this error.

Verify Windows Update Service Settings

* Click on Start, Run and type the following command in the open box and click OK

services.msc

* Find the Automatic Updates service and double-click on it.
* Click on the Log On Tab and make sure the "Local System Account" is selected as the logon account and the box for "allow service to interact with desktop" is UNCHECKED.
* Under the Hardware Profile section in the Log On Tab, make sure the service is enabled.
* On the General Tab, the Startup Type should be Automatic, if not, drop the box down and select Automatic.
* Under "Service Status" on the General tab, the service should be Started, click the Start button enable it.
* Repeat the steps above for the service "Background Intelligent Transfer Service (BITS)"

Re-Register Windows Update DLLs

* Click on Start, Run, and type CMD and click ok
* In the black command window type the following command and press Enter

REGSVR32 WUAPI.DLL

* Wait until you receive the "DllRegisterServer in WUAPI.DLL succeeded" message and click OK
* Repeat the last two steps above for each of the following commands:

REGSVR32 WUAUENG.DLL
REGSVR32 WUAUENG1.DLL
REGSVR32 ATL.DLL
REGSVR32 WUCLTUI.DLL
REGSVR32 WUPS.DLL
REGSVR32 WUPS2.DLL
REGSVR32 WUWEB.DLL

Remove Corrupted Windows Update Files

* At the command prompt, type the following command and press Enter

net stop WuAuServ
* Still at the command prompt,

type cd %windir% and press Enter
* In the opened folder, type the following command and press Enter to rename the SoftwareDistribution Folder

ren SoftwareDistribution SD_OLD
* Restart the Windows Update Service by typing the following at the command prompt

net start WuAuServ

* type Exit and Press Enter to close the command prompt

Reboot Windows

* click on Start, Shut Down, and Restart to reboot Windows XP

Although this method may not solve all of the issues with a SVCHOST.EXE Application error, I have found it fixed the problem with the 0x745f2780 reference error.

Other Issues with SVCHOST.EXE

I've encountered other issues with SVCHOST taking up 100% of the CPU Cycles. These issues are usually experienced with Windows Update in some form or another. To fix this frustrating problem, following these steps:

1) Download and install Update for Windows XP (KB927891)
2) Download and install an update for Windows Update Agent WSUS 3.0
3) Restart your computer and your computer should run better with slowing to a crawl because of SVCHOST.EXE

How to Fix Windows Update Error 0x80070420

2008-03-08T02:57:00.000-08:00

you have Windows XP and are receiving the Windows Update Error 0x80070420, please follow the steps below to solve it.

First, Check to see if you have Windows Installer 3.1 installed on your computer. To do this follow these steps:

1) Click on Start, Control Panel
2) Double-click on Add/Remove Programs
3) Search your Program List for the program

4) If you find it there, click on Remove to uninstall it. Then reboot your computer. If it is not there proceed to step 5.

5) Click on the following link to Microsoft's Download Center to download Windows Installer 3.1

http://www.microsoft.com/downloads/details.aspx?familyid=889482fc-5f56-4a38-b838-de776fd4138c&displaylang=en

6) Install Windows Installer 3.1 and reboot your computer

7) Go to Windows Update and try to download the updates again.

Note: sometimes you may also receive this error if Windows XP has not been activated. To read about How to Activate Windows XP, click on the following support article from Microsoft.

http://support.microsoft.com/?kbid=307890

Internet Privacy Software to clean your computer tracks and keep your computer safe

2008-03-08T02:55:00.000-08:00

What's so important about Internet Privacy?
Every time you open a browser to view a web page, order something online, or read your email in a web based viewer that information is stored on your computer for later use. Whether you are viewing the weather online, reading sports, catching up on the latest world news or viewing something a little more private, all that information is stored in your computer. Windows operating systems store all this material in what are called Temporary Internet Files or cache. Web pages may store bits of information about who you are when you visit web sites in files called cookies on your computer. Your web browser will store a list of web sites you've visited and places you've gone in a history file in your computer. Even if you are not online, programs will store histories of the files you've opened, played, or viewed.

Generally there might not be any reason to worry about all these files in your computer, but what if you sell your computer and all that information is left for someone else to see. Maybe friends and relatives visit and use your computer and you dont want everyone to know what files you are running on your computer. Then you are going to want to know how to delete these files.

Even if you are not worried about privacy on your computer, you may be surprised to realize how much hard drive space all this information takes up. If you are running out of drive space, you may want to delete these files.

How can I delete these files?

For Internet Explorer 5 and above, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clear the Internet History in IE:

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Clear History
4) Click OK

To clean up other temporary files on your computer in Windows 98 or higher:

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files

Are there programs to do this automatically?

One of the first and still the best programs on the market to clear internet files, run history, cookies, and other files is Window Washer by Webroot Software. It even has a "bleach" feature to make sure that information cannot be read once its deleted. You can read more about Window Washer by clicking on the picture below:

Window Washer

The other side of this problem is how do you recover an accidentally deleted file? Is it gone forever? Well the easy answer to that question is no, recovering it however may be more difficult unless you have special recovery software. One of the easiest pieces of software to recover important files is File-Saver. File-Saver can:

*

Instantly displays hundreds of deleted files from any drive on your computer
*

Provides full detail on each file, including filename, folder and last modified date
*

Allows you to quickly erase all confidential data, by wiping out all the hidden "undelete" data from your PC
*

Restore any file by back to the location of your choice, by clicking the 'Restore by Copying' button
*

Easily narrow down the results to just the file you want, using the built-in file and extension filter

Recover from a Corrupted Registry in Windows XP

2008-03-08T02:53:00.001-08:00

When Will This Recovery Work?
You'll want to use the steps on this page to recover from a corrupted registry when you have already tried other options such as System Restore and you receive a message similar to one of the following when you try to boot your computer with Windows XP.

* Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM

* Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE

* Stop: c0000218 {Registry File Failure} The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate

* System error: Lsass.exe
When trying to update a password the return status indicates that the value provided as the current password is not correct.

Be careful using this procedure in other circumstances or with an OEM version of Windows XP since OEM installations create passwords and user accounts that did not exist previously and may cause you not to be able to log into the Recovery Console to restore files.

Booting into the Recovery Console

You'll need to use the Windows XP Recovery Console to fix a corrupted registry, this will either require you to boot from a Windows XP Installation CD or boot directly to the Recovery Console if its installed. Follow these steps to boot into the Recovery Console from a Windows XP Installation CD.

1) Place your Windows XP in the CD-ROM Drive
2) Restart your computer and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar.

"press any key to boot from cd..."

4) Wait until you see the "Welcome to Setup" screen, and press R to start the Recovery Console
5) Choose which Windows installation you wish to load (this is usually #1 unless you have a multi-boot system)
6) Type the administrator password and Press Enter
7) You should now be at the C:\Windows> prompt

Copy Repair Files Using the Recovery Console

This procedure assumes Windows is installed on Drive C, if you have installed Windows on another drive, please substitute the appropriate drive letter in the procedure below.

At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:

md tmp
copy c:\windows\system32\config\system c:\windows\tmp\system.bak
copy c:\windows\system32\config\software c:\windows\tmp\software.bak
copy c:\windows\system32\config\sam c:\windows\tmp\sam.bak
copy c:\windows\system32\config\security c:\windows\tmp\security.bak
copy c:\windows\system32\config\default c:\windows\tmp\default.bak

delete c:\windows\system32\config\system
delete c:\windows\system32\config\software
delete c:\windows\system32\config\sam
delete c:\windows\system32\config\security
delete c:\windows\system32\config\default

copy c:\windows\repair\system c:\windows\system32\config\system
copy c:\windows\repair\software c:\windows\system32\config\software
copy c:\windows\repair\sam c:\windows\system32\config\sam
copy c:\windows\repair\security c:\windows\system32\config\security
copy c:\windows\repair\default c:\windows\system32\config\default

Type exit to quit Recovery Console. Your computer will restart, press F8 as it starts and choose Safe Mode.

Restart in Safe Mode and Find a Recent Snapshot Backup

Restart your computer in Safe Mode by pressing F8 during the initial bootup and choosing Safe Mode. Once in Safe Mode, you need to make sure the files and folders are visible so you can access them. Follow these instructions to accomplish this.

1. Open My Computer
2. Click on the Tools menu, then click Folder Options.
3. Click the View tab.
4. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display these files appears.

In My Computer, Double-click the drive where you installed Windows XP (usually Drive C) to display a list of the folders. then double-click on the "System Volume Information" folder. This folder contains the system restore points stored on your computer. The folders will look similar to

_restore{EE42BEB8-700A-495F-8004-53D26C2E12C5}

You might receive an access denied error message similar to the following when trying to access the System Volume Information folder.

C:\System Volume Information is not accessible. Access is denied.

This is generally caused because the user you are logged in under does not have permissions set on the folder. To fix this, follow the instructions in the Microsoft Knowledge Base article 309531 to gain access and continue. Each version of Windows XP is different on how to change these permissions.

Once you have access to the snapshots, use the instructions below to copy one of the latest snapshots to the Windows\TMP directory so you have access to it.

1) In the System Volume Information Folder, click on View, and then click Details to display the date of each snapshot folder.
2) Double-click on a folder that was not created at the current time but rather before the problem started.
3) Double-click on the Snapshot subfolder
4) Using your normal windows copy and paste techniques, highlight the following files and copy them into the C:\Windows\TMP folder

* _REGISTRY_USER_.DEFAULT
* _REGISTRY_MACHINE_SECURITY
* _REGISTRY_MACHINE_SOFTWARE
* _REGISTRY_MACHINE_SYSTEM
* _REGISTRY_MACHINE_SAM

5) Rename the files that you just copied into the C:\Windows\TMP folder by right-clicking on each filename and choosing Rename, then typing the new name. Repeat this for each file in the list below.

* Rename _REGISTRY_USER_.DEFAULT to DEFAULT
* Rename _REGISTRY_MACHINE_SECURITY to SECURITY
* Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE
* Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM
* Rename _REGISTRY_MACHINE_SAM to SAM

6) Once you have renamed the files, restart your computer again with the Recovery Console (refer to the instructions above to do this)

Replace the Repair Files with a Current Backup of the Registry

After rebooting the computer and starting the Recovery Console again, type the following commands at the prompt to replace the files with a current backup. You'll need to press Enter after each command.

del c:\windows\system32\config\sam
del c:\windows\system32\config\security
del c:\windows\system32\config\software
del c:\windows\system32\config\default
del c:\windows\system32\config\system

copy c:\windows\tmp\software c:\windows\system32\config\software
copy c:\windows\tmp\system c:\windows\system32\config\system
copy c:\windows\tmp\sam c:\windows\system32\config\sam
copy c:\windows\tmp\security c:\windows\system32\config\security
copy c:\windows\tmp\default c:\windows\system32\config\default

After the files have been replaced, type EXIT at the command prompt to restart Windows in normal mode.

Use System Restore to Return to a Good Backup Point

Because there is more to a System Restore than just the registry files, follow these steps to restore your computer to a good backup point.

1. Click Start, and then click All Programs.
2. Click Accessories, and then click System Tools.
3. Click System Restore, and then click Restore to a previous Restore Point and finish the restore.

Regestry Editing

2008-03-08T02:32:00.000-08:00

Registry Editor
Registry Editor is an advanced tool for viewing and changing settings in your system registry, which contains information about how your computer runs. Windows stores its configuration information in a database (the registry) that is organized in a tree format. Although Registry Editor enables you to inspect and modify the registry, normally you do not need to do so, and making incorrect changes can break your system. An advanced user who is prepared to both edit and restore the registry can safely use Registry Editor for such tasks as eliminating duplicate entries or deleting entries for programs that have been uninstalled or deleted.
Using Registry Editor with Windows XP, 64-Bit Edition
The registry in Windows XP, 64-Bit Edition is divided into 32-bit and 64-bit keys. Many of the 32-bit keys have the same names as their 64-bit counterparts, and vice versa. The default, 64-bit version of Registry Editor that comes with Windows XP, 64-Bit Edition displays only the 64-bit keys.
To view or edit 32-bit keys from the registry of a computer running Windows XP, 64-Bit Edition, you must use the 32-bit version of Registry Editor in the %systemroot%\Syswow64 folder. You must close the 64-bit version of Registry Editor before you can open the 32-bit version, and vice versa. There are no differences in the way you perform tasks between the 32-bit version of Registry Editor and the 64-bit version of Registry Editor.
To open the 32-bit version of Registry Editor, click Start, click Run, type %systemroot%\syswow64\regedit, and click OK.
Change keys and values
• Find a string, value, or key
• Add a registry key to Favorites
• Add a key
• Add a value
• Change a value
• Delete a key or value
• Rename a key or value
• Connect to a registry over the network
• Disconnect from a network registry
• Copy a registry key name
• Restore the registry

To find a string, value, or key:
1. Open Registry Editor.
2. On the Edit menu, click Find.
3. In Find what, type the string, value, or key you want to find.
4. Select the Keys, Values, Data, and Match whole string only check boxes to match the type of search you want, and then click Find Next.
To add a registry key to Favorites
1. Open Registry Editor.
2. Select the registry key you want to add to Favorites.
3. On the Favorites menu, click Add to Favorites.
4. In the Add to Favorites dialog box, accept the default registry key name or type a new one.
The registry key is added to the Favorites list. You can then return to this list by simply selecting it from the Favorites menu.
To add a key
1. Open Registry Editor.
2. In the registry tree (on the left), click the registry key under which you would like to add a new key.
3. On the Edit menu, point to New, and then click Key.
4. Type a name for the new key, and then press ENTER
To add a value
1. Open Registry Editor.
2. Click the key or entry where you want to add the new value.
3. On the Edit menu, point to New, and then click the type of value you want to add: String Value, Binary Value, DWORD Value, Multi-String Value, or Expandable String Value.
4. Type a name for the new value, then press ENTER
To change a value
1. Open Registry Editor.
2. Select the entry you want to change.
3. On the Edit menu, click Modify.
4. In Value data, type the new data for the value, and then click OK.
To delete a key or value
1. Open Registry Editor.
2. Click the key or entry you want to delete.
3. On the Edit menu, click Delete.
Caution
• Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on your computer.
Notes
• To open Registry Editor, click Start, click Run, type regedit, and then click OK.
• You can delete keys and values from your registry. However, you cannot delete a predefined key (such as HKEY_CURRENT_USER) or change the name of a predefined key.
• If you make a mistake that results in your computer not starting properly, you can restore the registry.

To rename a key or value
1. Open Registry Editor.
2. Click the key or entry you want to rename.
3. On the Edit menu, click Rename.
4. Type the new name, and then press ENTER
To connect to a registry over a network
1. Open Registry Editor.
2. On the File menu, click Connect Network Registry.
3. In the Connect Network Registry dialog box, type the name of the computer to whose registry you want to connect.
To disconnect from a network registry
1. Open Registry Editor.
2. On the File menu, click Disconnect Network Registry.
3. In the Disconnect Network Registry dialog box, click the name of the computer from whose registry you want to disconnect.
To copy a registry key name
1. Open Registry Editor.
2. In the registry tree (on the left), click a registry key.
3. On the Edit menu, click Copy Key Name.
4. Paste the name of the registry key into another program or document

To restore the registry
1. Open Registry Editor.
2. Click Options, and then click Print to print these instructions. (If you are using the Help and Support Center, click Print above the topic area.) They will not be available after you shut down your computer in step 2.
3. Click Start, and then click Shut Down.
4. In the list, click Restart, and then click OK.
5. When you see the message Please select the operating system to start, press F8.
6. Use the arrow keys to highlight Last Known Good Configuration, and then press ENTER.
NUM LOCK must be off before the arrow keys on the numeric keypad will function.
7. Use the arrow keys to highlight an operating system, and then press ENTER

To export all or part of the registry to a text file
1. Open Registry Editor.
2. On the File menu, click Export.
3. In File name, enter a name for the registry file.
4. Under Export range, do one of the following:
o To back up the entire registry, click All.
o To back up only a particular branch of the registry tree, click Selected branch and enter the name of the branch you want to export.
5. Click Save.
To import some or all of the registry
1. Open Registry Editor.
2. On the File menu, click Import Registry File.
3. Find the file you want to import, click the file to select it, then click Open.

To export a registry key to a hive file
1. Open Registry Editor.
2. Select the key that you want to save as a file.
3. On the File menu, click Export.
4. In the Export Registry File dialog box, in Save in, click the drive, folder, or network computer and folder where you want to save the hive.
5. In File name, enter a name for the hive.
6. In Save as type, click Registry Hive Files.
7. Click Save.
To import a registry key from a hive file
1. Open Registry Editor.
2. Select the keys in which you want to restore the hive.
3. On the File menu, click Import.
4. In Look in, select the drive, folder, or network computer and folder in which the hive is located.
5. In Files of type, click Registry Hive Files.
6. Select the correct file name for the hive.
7. Click Open.

To load a hive into the registry
1. Open Registry Editor.
2. In the registry tree (on the left), click either the HKEY_USERS or HKEY_LOCAL_MACHINE keys.
3. On the File menu, click Load Hive.
4. In Look in, click the drive, folder, or network computer and folder that contains the hive you want to load.
5. Click Open.
6. In Key Name, type the name that you want to assign to the hive, and then click OK.
To unload a hive from the registry
1. Open Registry Editor.
2. Select a hive that you have previously loaded onto your system.
3. On the File menu, click Unload Hive

To assign permissions to a registry key
1. Open Registry Editor.
2. Click the key to which you want to assign permissions.
3. On the Edit menu, click Permissions.
4. Assign an access level to the selected key as follows:
o To grant the user permission to read the key contents, but not save any changes made to the file, under Permissions for name, for Read, select the Allow check box.
o To grant the user permission to open, edit, and take ownership of the selected key, under Permissions for name, for Full Control, select the Allow check box.
o To grant the user special permission in the selected key, click Advanced.
5. If you are assigning permissions to a subkey and you want the inheritable permissions assigned to the parent key to apply to the subkey also, select the Inherit from parents the permission entries that apply to child objects. Include these with entries explicitly defined here check box
To assign special access to a registry key
1. Open Registry Editor.
2. Click the key to which you want to assign special access.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then double-click the user or group to whom you want to assign special access.
5. Under Permissions, select the Allow or Deny check box for each permission you want to allow or deny.

To add users or groups to the Permissions list
1. Open Registry Editor.
2. Click the key whose Permissions list you want to change.
3. On the Edit menu, click Permissions, and then click Add.
4. In the Select Users, Computers, or Groups dialog box, in Locations, click the computer or domain of the users and groups you want to view.
5. Click the name of the user or group, click Add, and then click OK.
6. In the Permissions dialog box, under Permissions for name, assign a type of access to the selected user or group as follows:
o To grant the user permission to read the key contents but not to save any changes made to it, select the Allow check box for Read.
o To grant the user permission to open, edit, and take ownership of the selected key, select the Allow check box for Full Control

To grant Full Control of a registry key
1. Open Registry Editor.
2. Click the key to which you want to grant Full Control.
3. On the Edit menu, click Permissions.
4. Under Group or user names, click the user to whom you want to grant Full Control of your registry key.
5. Under Permissions for name, where name represents the name of the user to whom you are granting Full Control of the key, select the Allow check box for Full Control
To audit activity on a registry key
1. Open Registry Editor.
2. Click the key you want to audit.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then click the Auditing tab.
5. Double-click the name of a group or user.
6. Under Access, select or clear the Successful and Failed check boxes for the activities that you want to audit or to stop auditing:
Select To audit
Query Value Any attempts to read a entry from a registry key
Set Value Any attempts to set entries in a registry key
Create Subkey Any attempts to create subkeys on a selected registry key
Enumerate Subkeys Any attempts to identify the subkeys of a registry key
Notify Any notification events from a key in the registry
Create Link Any attempts to create a symbolic link in a particular key
Delete Any attempts to delete a registry object
Write DAC Any attempts to write a discretionary access control list on the key
Write Owner Any attempts to change the owner of the selected key
Read Control Any attempts to open the discretionary access control list on a key

To add users or groups to the audit list
1. Open Registry Editor.
2. Click the key you want to audit.
3. On the Edit menu, click Permissions.
4. Click Advanced, click the Auditing tab, and then click Add.
5. Click Object Types, select the type or types of users or groups you want to find, and then click OK.
6. Click Locations, select the computer or domain of the users or groups you want to view, and then click OK.
7. Type the name of the user or group you want to add and then click OK to open the Auditing Entry dialog box, or click Advanced to search for a user, computer, or group based on parameters you set.

To take ownership of a registry key
1. Open Registry Editor.
2. Click the key you want to take ownership of.
3. On the Edit menu, click Permissions.
4. Click Advanced, and then click the Owner tab.
5. Under Change owner to, click the new owner, and then click OK.
To print all or part of the registry
1. Open Registry Editor.
2. Click the computer or top-level key of the registry area you want to print.
3. On the File menu, click Print.
4. You can print the entire registry by clicking All or only part of the registry by clicking Selected Branch and typing the desired branch in the text box, and then click OK.
Registry Editor overview
Registry Editor is an advanced tool for viewing and changing settings in your system registry, which contains information about how your computer runs. Windows stores its configuration information in a database (the registry) that is organized in a tree format. Although Registry Editor enables you to inspect and modify the registry, normally you do not need to do so, and making incorrect changes can break your system. An advanced user who is prepared to both edit and restore the registry can safely use Registry Editor for such tasks as eliminating duplicate entries or deleting entries for programs that have been uninstalled or deleted.
Folders represent keys in the registry and are shown in the navigation area on the left side of the Registry Editor window. In the topic area on the right, the entries in a key are displayed. When you double-click a entry, it opens an editing dialog box.
You should not edit your registry unless it is absolutely necessary. If there is an error in your registry, your computer may not function properly. If this happens, you can restore the registry to the same version you were using when you last successfully started your computer. For instructions, see Related Topics.
Registry Editor Keys
The navigation area of the Registry Editor displays folders, each of which represents a predefined key on the local computer. When accessing the registry of a remote computer, only two predefined keys, HKEY_USERS and HKEY_LOCAL_MACHINE, appear.
Folder/predefined key Description
HKEY_CURRENT_USER Contains the root of the configuration information for the user who is currently logged on. The user's folders, screen colors, and Control Panel settings are stored here. This information is referred to as a user's profile.
HKEY_USERS Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS.
HKEY_LOCAL_MACHINE Contains configuration information particular to the computer (for any user).
HKEY_CLASSES_ROOT Is a subkey of HKEY_LOCAL_MACHINE\Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIG Contains information about the hardware profile used by the local computer at system startup.
The following table lists the data types currently defined and used by the system.
Data type Description
REG_BINARY Raw binary data. Most hardware component information is stored as binary data and is displayed in Registry Editor in hexadecimal format.
REG_DWORD Data represented by a number that is 4 bytes long. Many parameters for device drivers and services are this type and are displayed in Registry Editor in binary, hexadecimal, or decimal format.
REG_EXPAND_SZ A variable-length data string. This data type includes variables that are resolved when a program or service uses the data.
REG_MULTI_SZ A multiple string. Values that contain lists or multiple values in a form that people can read are usually this type. Entries are separated by spaces, commas, or other marks.
REG_SZ A fixed-length text string.
REG_FULL_RESOURCE_DESCRIPTOR A series of nested arrays designed to store a resource list for a hardware component or driver.

Windows Registry

2008-03-08T00:18:00.000-08:00

The Windows registry is a directory which stores settings and options for the operating system for Microsoft Windows 32-bit versions, 64-bit versions and Windows Mobile. It contains information and settings for all the hardware, operating system software, most non-operating system software, users, preferences of the PC, etc. Whenever a user makes changes to Control Panel settings, file associations, system policies, or most installed software, the changes are reflected and stored in the registry. The registry also provides a window into the operation of the kernel, exposing runtime information such as performance counters and currently active hardware. This use of registry mechanism is conceptually similar to the way that Sysfs and procfs expose runtime information through the file system (traditionally viewed as a place for permanent storage), though the information made available by each of them differs tremendously.

The Windows registry was introduced to tidy up the profusion of per-program INI files that had previously been used to store configuration settings for Windows programs. These files tended to be scattered all over the system, which made them difficult to track.
Contents

The registry contains two basic elements: keys and values.

Registry Keys are similar to folders - in addition to values, each key can contain subkeys, which may contain further subkeys, and so on. Keys are referenced with a syntax similar to Windows' path names, using backslashes to indicate levels of hierarchy. E.g. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows refers to the subkey "Windows" of the subkey "Microsoft" of the subkey "Software" of the HKEY_LOCAL_MACHINE key.

Registry Values are name/data pairs stored within keys. Values are referenced separately from keys. Value names can contain backslashes but doing so makes them difficult to distinguish from their key paths. The Windows API functions that query and manipulate registry values take value names separately from the key path and/or handle that identifies the parent key.

The terminology is somewhat misleading, as the values are similar to an associative array, where standard terminology would refer to the name part of the value as a "key". The terms are a holdout from the 16-bit registry in Windows 3, in which keys could not contain arbitrary name/data pairs, but rather contained only one unnamed value (which had to be a string). In this sense, the entire registry was like an associative array where the keys (in both the registry sense and dictionary sense) formed a hierarchy, and the values were all strings. When the 32-bit registry was created, so was the additional capability of creating multiple named values per key, and the meanings of the names were somewhat distorted[2].

There are a number of different types of values:
List of Registry Value Types
0 REG_NONE No type
1 REG_SZ A string value
2 REG_EXPAND_SZ An "expandable" string value that can contain environment variables
3 REG_BINARY Binary data (any arbitrary data)
4 REG_DWORD/REG_DWORD_LITTLE_ENDIAN A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) (little-endian)
5 REG_DWORD_BIG_ENDIAN A DWORD value, a 32-bit unsigned integer (numbers between 0 and 4,294,967,295 [232 – 1]) (big-endian)
6 REG_LINK symbolic link (UNICODE)
7 REG_MULTI_SZ A multi-string value, which is an array of unique strings
8 REG_RESOURCE_LIST Resource list
9 REG_FULL_RESOURCE_DESCRIPTOR Resource descriptor
10 REG_RESOURCE_REQUIREMENTS_LIST Resource Requirements List
11 REG_QWORD/REG_QWORD_LITTLE_ENDIAN A QWORD value, a 64-bit integer (either big- or little-endian, or unspecified)

Hives

The Registry is split into a number of logical sections, or "hives".[3] Hives are generally named by their Windows API definitions, which all begin "HKEY". They are abbreviated to a three- or four-letter short name starting with "HK" (e.g. HKCU and HKLM).

The HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER nodes have a similar structure to each other; applications typically look up their settings by first checking for them in "HKEY_CURRENT_USER\Software\Vendor's name\Application's name\Version\Setting name", and if the setting is not found look instead in the same location under the HKEY_LOCAL_MACHINE key.
When writing settings back, the reverse approach is used — HKEY_LOCAL_MACHINE is written first, but if that cannot be written to (which is usually the case if the logged-in user is not an administrator), the setting is stored in HKEY_CURRENT_USER instead.

HKEY_CLASSES_ROOT

Abbreviated HKCR, HKEY_CLASSES_ROOT stores information about registered applications, such as Associations from File Extensions and OLE Object Class IDs tying them to the applications used to handle these items. On Windows 2000 and above, HKCR is a compilation of HKCU\Software\Classes and HKLM\Software\Classes. If a given value exists in both of the subkeys above, the one in HKCU\Software\Classes is used.[4]

HKEY_CURRENT_USER (HKCU)

Abbreviated HKCU, HKEY_CURRENT_USER stores settings that are specific to the currently logged-in user. The HKCU key is a link to the subkey of HKEY_USERS that corresponds to the user; the same information is reflected in both locations. On Windows-NT based systems, each user's settings are stored in their own files called NTUSER.DAT and USRCLASS.DAT inside their own Documents and Settings subfolder.

HKEY_LOCAL_MACHINE (HKLM)

Abbreviated HKLM, HKEY_LOCAL_MACHINE stores settings that are general to all users on the computer. On NT-based versions of Windows, HKLM contains four subkeys, SAM, SECURITY, SOFTWARE and SYSTEM, that are found within their respective files located in the %SystemRoot%\System32\Config folder. A fifth subkey, HARDWARE, is volatile and is created dynamically, and as such is not stored in a file. Information about system hardware drivers and services are located under the SYSTEM subkey, while the SOFTWARE subkey contains software and Windows settings.

HKEY_USERS

Abbreviated HKU, HKEY_USERS contains subkeys corresponding to the HKEY_CURRENT_USER keys for each user registered on the machine.

HKEY_CURRENT_CONFIG

Abbreviated HKCC, HKEY_CURRENT_CONFIG contains information gathered at runtime; information stored in this key is not permanently stored on disk, but rather regenerated at boot time.

HKEY_PERFORMANCE_DATA

This key provides runtime information into performance data provided by either the NT kernel itself or other programs that provide performance data. This key is not displayed in the Registry Editor, but it is visible through the registry functions in the Windows API.
Editing

Manual editing
The Registry Editor in Windows Vista
The Registry Editor in Windows Vista
Windows 3.11 Registry Editor
Windows 3.11 Registry Editor

The registry can be edited manually in Microsoft Windows by running regedit.exe or regedt32.exe in the Windows directory. However, careless registry editing can cause irreversible damage. Thus, performing back-ups of the registry is highly recommended. Many optimization and "hacking" tools are available to modify this portion of the Windows operating system; it is preferable not to use them unless one has a knowledge of registry workings or wishes to learn more about the registry.

A simple implementation of the current registry tool appeared in Windows 3.x, called the "Registration Info Editor" or "Registration Editor". This was basically just a database of applications used to edit embedded OLE objects in documents.

Windows NT introduced permissions for Registry editing. Windows NT 4 and Windows 2000 were distributed with both the Windows 9x REGEDIT.EXE program and Windows NT 3.x's REGEDT32.EXE program. There are several differences between the two editors on these platforms:

* REGEDIT.EXE had a left-side tree view that began at "My Computer" and listed all loaded hives. REGEDT32.EXE had a left-side tree view, but each hive had its own window, so the tree displayed only keys.
* REGEDIT.EXE represented the three components of a value (its name, type, and data) as separate columns of a table. REGEDT32.EXE represented them as a list of strings.
* REGEDIT.EXE supported right-clicking of entries in a tree view to adjust properties and other settings. REGEDT32.EXE required all actions to be performed from the top menu bar.
* REGEDIT.EXE supported searching for key names, values, or data throughout the entire registry, whereas REGEDT32.EXE only supported searching for key names in one hive at a time.
* Because REGEDIT.EXE was directly ported from Windows 95, it did not support permission editing (permissions do not exist on Windows 9x). Therefore, the only way to access the full functionality of an NT registry was with REGEDT32.EXE.
* REGEDIT.EXE only supported string (REG_SZ), binary (REG_BINARY), and DWORD (REG_DWORD) values. REGEDT32.EXE supports those, plus expandable string (REG_EXPAND_SZ) and multi-string (REG_MULTI_SZ). Attempting to edit unsupported key types with REGEDIT.EXE on Windows 2000 or Windows NT 4 will result in conversion to a supported type that cannot be reversed.[5]

Windows XP was the first system to integrate these two programs into one, adopting the old REGEDIT.EXE interface and adding the REGEDT32.EXE functionality. The differences listed above are not applicable on Windows XP and newer systems; REGEDIT.EXE is the improved editor, and REGEDT32.EXE is simply a stub that invokes REGEDIT.EXE.

Command line editing

The registry can be manipulated in a number of ways from the command line. The reg.exe utility tool is included in Windows XP and Windows Vista and can be downloaded separately for previous versions. Alternative locations include the Resource Kit CD's or the original Installation CD of Windows.

reg.exe Operation [Parameter List]

Operation [QUERY|ADD|DELETE|COPY|SAVE|LOAD|UNLOAD|RESTORE|COMPARE|EXPORT|IMPORT]

Also, a .reg file (a text-based human-readable file format for storing portions of the registry) can be imported from the command line with the following command:

regedit.exe /s file

The /s means the file will be silent merged to the Registry. If the /s parameter is omitted the user will be asked to confirm the operation. In Windows 98 and Windows 95 the /s switch also caused regedit.exe to ignore the setting in the registry that allows administrators to disable it. When using the /s switch Regedit does not return an appropriate return code if the operation fails, unlike reg.exe which does. This makes it hard to script, however a possible workaround is to add the following lines into your batch file:

regedit /s file.reg
regedit /e test.reg "key"
if not exist test.reg goto REGERROR
del test.reg

The default association for .reg files in many versions of Microsoft Windows, starting with Windows 98 does require the user to confirm the merging to avoid user mistake.

Other commandline options include a VBScript together with CScript.

Registry permissions can be manipulated through the command line using the SubInACL.exe tool. The permissions on the HKEY_LOCAL_MACHINE\SOFTWARE key can be displayed using:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /display

To set the owner of the key HKEY_LOCAL_MACHINE\software and all of its subkeys to Administrator:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator
subinacl /subkeyreg HKEY_LOCAL_MACHINE\software /setowner=Administrator

To grant full access rights to the HKEY_LOCAL_MACHINE\software key to Administrator:

subinacl /keyreg HKEY_LOCAL_MACHINE\software /grant=Administrator=F

[edit] Programs or scripts

The registry can be edited through the APIs of the Advanced Windows 32 Base API Library (advapi32.dll).
List of Registry API functions
RegCloseKey RegOpenKey RegConnectRegistry RegOpenKeyEx
RegCreateKey RegQueryInfoKey RegCreateKeyEx RegQueryMultipleValues
RegDeleteKey RegQueryValue RegDeleteValue RegQueryValueEx
RegEnumKey RegReplaceKey RegEnumKeyEx RegRestoreKey
RegEnumValue RegSaveKey RegFlushKey RegSetKeySecurity
RegGetKeySecurity RegSetValue RegLoadKey RegSetValueEx
RegNotifyChangeKeyValue RegUnLoadKey

Many programming languages offer built-in runtime library functions or classes that enable programs to store settings in the registry (e.g. Microsoft.Win32.Registry in VB.NET and C#, or TRegistry in Delphi). COM-enabled applications like Visual Basic 6 can use the WSH WScript.Shell object. Another way is to use the Windows Support Tool Reg.exe by executing it from code,[7] although this is considered poor programming practice.

Similarly, scripting languages such as Perl (with Win32::TieRegistry), Windows Powershell and Windows Scripting Host also enable registry editing from scripts.

Locations

The Registry is stored in several files; depending upon the version of Windows, there will be different files and different locations for these files, but they are all on the local machine. The user-specific HKEY_CURRENT_USER user registry hive is stored in Ntuser.dat. There is one of these per user; if a user has a roaming profile, then this file will be copied to and from a server at logout and login respectively.

[edit] Windows NT, 2000, XP, Server 2003, and Vista

The following Registry files are stored in %SystemRoot%\System32\Config\:

* Sam – HKEY_LOCAL_MACHINE\SAM
* Security – HKEY_LOCAL_MACHINE\SECURITY
* Software – HKEY_LOCAL_MACHINE\SOFTWARE
* System – HKEY_LOCAL_MACHINE\SYSTEM
* Default – HKEY_USERS\.DEFAULT
* Userdiff - Not associated with a hive. Used only when upgrading operating systems.

The following files are stored in each user's profile folder:

* %UserProfile%\Ntuser.dat – HKEY_USERS\ (linked to by HKEY_CURRENT_USER)
* %UserProfile%\Local Settings\Application Data\Microsoft\Windows\Usrclass.dat (path is localized) – HKEY_USERS\_Classes (HKEY_CURRENT_USER\Software\Classes)

Windows 95, 98, and Me

The registry files are named USER.DAT and SYSTEM.DAT and are stored in the %WINDIR% directory. In Windows Me, Classes.dat was added. Also, each user profile (if profiles are enabled) has its own USER.DAT in profile's directory.

Windows 3.11

The registry file is called Reg.dat and is stored in the C:\WINDOWS directory

Legacy systems

With Windows 95, Windows 98, Windows ME and Windows NT, administrators can use a special file to be merged into the registry, called a policy file. The policy file allows administrators to prevent non-administrator users from changing registry settings like, for instance, the security level of Internet Explorer and the desktop background wallpaper. The policy file is primarily used in a business with a large number of computers where the business needs to be protected from the users and the users need to be protected from themselves.

The default extension for the policy file is .pol. The policy file filters the settings it enforces by user and by group (a "group" is a defined set of users). To do that the policy file merges into the registry, preventing users from circumventing it by simply changing back the settings. The policy file is usually distributed through a LAN, but can be placed on the local computer.

The policy file is created by a free tool by Microsoft that goes by the filename poledit.exe for Windows 95/Windows 98 and with a computer management module for NT-based systems. The editor requires administrative permissions to be run on systems that uses permissions. The editor can also directly change the current registry settings of the local computer and if the remote registry service is installed and started on another computer it can also change the registry on that computer. The policy editor loads the settings it can change from .adm files, of which one is included, that contains the settings the Windows shell provides. The .adm file is plain text and supports easy localisation by allowing all the strings to be stored in one place.

Group policy

Windows 2000 and later versions of Windows use Group Policy to enforce Registry settings. Policy may be applied locally to a single computer using GpEdit.msc, or to multiple computers in a domain using gpmc.msc.

Inifile virtualization

Windows NT kernels support redirection of API's into a Registry location such as HKEY_CURRENT_USER using a feature called "InifileMapping".[9] This functionality was introduced to allow applications written for 16-bit versions of Windows to be able to run under Windows NT where the Windows folder is not considered an appropriate location for user-specific data or configuration

Registry virtualization

Windows Vista has introduced limited Registry virtualization, whereby poorly written applications that write user data to a read-only system location (such as the HEKY_LOCAL_MACHINE hive) can be transparently redirected to a more appropriate location, without changing the application itself. The application is lied to by Windows, as it does not know that its Registry operations have been directed elsewhere.

Similarly, application virtualization redirects all of an application's Registry operations to a non-Registry backed location, such as a file. Used together with file virtualization, this approach allows applications to run without being installed on the location machine.

Advantages
)

Changing from having one or more INI files per program to one centralized registry has its good points:

* Richer data types can be stored in the Registry.
* Separation of machine configuration from user configuration. When a user logs into a Windows NT/2000/XP/Server 2003 computer, the user-based registry settings are loaded from a user-specific path rather than from a read-only system location. This allows multiple users to share the same machine, and also allows programs to work for a least-privilege user.
* Group Policy allows administrators on a Windows-based computer network to centrally manage program and policy settings. Part of this involves being able to set what an entry in the registry will be for all the computers on the network, and affect nearly any installed program — something almost impossible with per-program configuration files each with custom layouts, stored in dispersed locations.
* Standardization of the method of storing configuration data across diverse applications.
* The registry can be accessed over a network connection for remote management/support, including from scripts, using the standard set of API's.
* It can be backed up more easily, in that it is just a small number of files in specific locations.
* Portions of settings like any subset of an application configuration can be saved in a text-based .REG file, which can be edited with any text editor later. .REG files can easily be merged back into the registry both by unattended batch file or by the user just double-clicking on the file without harming any setting that is not explicitly stated in the .REG file. This is very useful for administrators and support personnel who want to pre-set or pre-configure only a few options like approving the EULA of a certain application.
* Since accessing the registry does not require parsing, it can be read from and written to more quickly than a text file can be.
* Registry operations can be tracked in realtime via a tool like Sysinternals' RegMon on value level. This is a big advantage for generating scripts in networks as well as debugging problems.
* Registry keys are independent of the Windows language, the Windows installation drive and path and even the Windows versions as such. So support personnel can easily give out one set of instructions, without having to handle these things, unlike, for example, files in the user profile, which can be on different paths on each installation.
* The registry is constructed as a database, and offers DB-like features such as atomic updates. If two processes attempt to update the same registry value at the same time, one process's change will precede the other's, so one will only last a short time until the second gets written. With changes in a file system, such race conditions can result in interleaved data that doesn't match either attempted update. Windows Vista provides transactional updates to the registry, so the atomicity guarantees can be extended across multiple key and/or value changes, with traditional commit-abort semantics. (Note that NTFS provides such support for the file system as well, so the same guarantees could be obtained with traditional configuration files.)

Disadvantages

However, the centralized Registry introduces some problems as well:

* Increased memory overhead (.INI files were limited to 64 Kilobytes)
* The HKEY_LOCAL_MACHINE part is a single point of failure — damage to the Registry can render a Windows system unbootable, in extreme cases to a point that cannot be fixed, and requires a full reinstall of Windows. Windows 2000 (including server) keeps a second copy (.ALT) and attempts to switch to it when damage is detected.[10] This does not always work, requiring manually reverting to an older copy of the registry.
* The registry does not document itself in the same way a configuration file can, since it does not contain comments.
* Restoring parts of the registry is hard because the user cannot easily extract data from backed up registry files. Offline reading and manipulation of the registry (for example from a parallel installed Windows or a boot CD) is not trivial (but not impossible).
* Any application that does not uninstall properly, or does not have an uninstaller, can leave entries in the registry. In some cases this leads to performance or even stability problems, but only if the application registers itself as a class in HKEY_CLASSES_ROOT or HKEY_LOCAL_MACHINE. Note that user settings usually remain in the registry, which is done by design for three reasons: First, the user might be on a Windows domain with server-based profiles, where the settings move with the user to other computers. Uninstalling the application on one computer does not mean the user does not want to use the program on some other computer on the domain. Second, the uninstall process would have to load and process all user's hives to be able to erase all of its saved settings; to do so for every user can be very processor and time consuming and is not guaranteed to remove from every user in every configuration Windows can be. Third, if the program is installed again later, the user's previous settings will remain. (In any case, unused keys in HKCU have negligible impact on system performance.)
* Since at least 1998,[ pages at Microsoft Support relating to editing the registry include the disclaimer that the use of the Registry Editor should be done at one's own risk, underlining the severity of a corrupt registry.
* Applications that make use of the registry to store and retrieve their settings are not conductive for use on portable devices used to carry applications from one system to another. Since the settings are in the registry, and the registry is not on the portable device along with the application, any setting changes are lost and must be re-entered for each new system. A similar problem presents itself if the user gets a new computer or needs to reinstall Windows itself; it is difficult to isolate the portions of the registry that should be moved so that the user can retain their settings.

Windows 9x OS

On Windows 9x computers, an older installation can have a very large registry that slows down the computer's startup and can make the computer unstable. This has led to frequent criticisms that the registry leads to instability. However, as the on-disc structure of the registry is entirely different on the NT line of Operating Systems (including Windows XP and Vista) than Windows 9x series OS,[1] slowdown due to registry bloat now occurs much less frequently.

Equivalents in other operating systems

Other systems use separate configuration files for separate application subsystems, but group them together for ease of management. For instance, under Unix and Linux, system-wide configuration files (information which would appear in HKEY_LOCAL_MACHINE on Windows) are traditionally stored in files in /etc/ and its subdirectories, or sometimes in /usr/local/etc. Per-user information (information that would be in HKEY_CURRENT_USER) is stored in hidden directories and files (that start with a period) within the user's home directory.

Applications running on Apple Inc.'s Mac OS X operating system typically store settings in property list files which are usually stored in each user's Library folder. An advantage of this is that corruption to one of these files will normally only affect a single application, whereas corruption of one of the Registry hives can have system-wide effects. However, Mac OS X also has a system database called NetInfo that stores system-wide settings such as user account details and network configuration.

RISC OS also allows applications to be copied into directories easily, as opposed to the separate installation program that typifies Windows applications. If one wishes to remove the application, it is possible to simply delete the folder belonging to the application.[13] This is possible because RISC OS does not support multi-user environments with different settings for each user.

IBM AIX (a Unix variant) uses a registry component called Object Data Manager (ODM). The ODM is used to store information about system and device configuration. An extensive set of tools and utilities provides users with means of extending, checking, correcting the ODM database. The ODM stores its information in several files, default location is /etc/objrepos.

The GNOME desktop environment uses a registry-like interface called GConf for storing configuration settings for the desktop and applications. However, in GConf, all application settings are stored in separate files, thereby eliminating a single point of failure.

The Elektra Initiative provides an alternative back-end for text configuration files for the Linux operating system, similar to the registry.

what is an Generic Host Process for Win32 Services and svchost.exe?

2008-03-08T00:09:00.000-08:00

what is an Generic Host Process for Win32 Services and svchost.exe?

Generic Host Process for Win32 Services or svchost.exe is a legal and essential component of Windows which is used to host services which run from dynamic-link libraries (DLLs). Multiple instances of Svchost.exe can run at the same time. So it is not a problem in most cases if you see five or six or even more copies of svchost.exe running in your services because they host different groups of DLLs. However, there are several known spyware anв trojans that pretend to be legal svchost.exe. They usually have the same name or one of the following names: svchost.exe, svchosts.exe (which often causes svchosts.exe page faults), Generic.exe, svcchost.exe and several others. Please note that legal svchost.exe should reside in Windows\System32 folder and should not appear in startup list.
Why do you see "Generic Host Process for Win32 Services has encountered a problem" or similar error messages?

The are several possible reasons of this error message.

Reason 1: You have one of numerous worms, viruses and trojans which pretent themselves to be legal svchost.exe or use legal svchost.exe to run themselves at windows startup. These threats include: CashToolbar Downloader-MY, System1060, CoolWebSearch Svchost32, ADCLICK-AG, ADCLICK-AX, ADUYO-A, AGENT-V, AGOBOT-KL, AUTOTROJ-C and many others.

Reason 2: Some legal DLL which uses svchost.exe to run itself at Windows startup crashed and causes crash of the whole svchost.exe service.

Reason 3: You have just installed update from Microsoft which contains errorneous verison of Windows Installer or double-byte character set (DBCS) characters support (only occures in Microsoft Windows XP Service Pack 2 (SP2)).

Reason 4: You installed old printer or scanner drivers from Hewlett-Packard which are incompatible with the current version of svchost.exe

Generic Host Process win32 error

2008-03-08T00:05:00.000-08:00

You receive a "Generic Host Process" error message after you start the computer, or DBCS attachment file names are not displayed in Rich Text e-mail messages
View products that this article applies to.
Article ID : 894391
Last Review : October 9, 2007
Revision : 7.1
Notice
The problem that this article describes was corrected in security update 902400 (http://support.microsoft.com/kb/902400/). This update is available from Windows Update (http://update.microsoft.com (http://update.microsoft.com)). If you are still experiencing problems similar to those that this article describes, it may be a different problem than the problem that this article describes. The "Similar problems and resolutions" section contains additional troubleshooting articles for similar problems.
On This Page
SYMPTOMS
RESOLUTION
Hotfix information
Windows Server 2003, 32-bit versions
Windows Server 2003, Itanium-based Editions
Windows XP, 32-bit versions
Windows XP, 64-bit version (Itanium)
Windows 2000
Prerequisites
Restart requirement
Hotfix replacement information
File information
Microsoft Windows Server 2003, 32-bit versions
Windows Server 2003, Itanium-based Editions
Windows XP, 32-bit versions
Windows XP, 64-bit version (Itanium)
Windows 2000
STATUS
MORE INFORMATION
Similar problems and resolutions
SYMPTOMS
If you installed security update 873333 (MS05-012), you may experience one or more of the following problems:
• You may receive the following error message after you start the computer:
Generic Host Process for Win32 Services Error
Note This problem only occurs in Microsoft Windows XP Service Pack 2 (SP2).
• File names are not displayed in e-mail messages that include file attachments when the following conditions are true:
• The file name contains double-byte character set (DBCS) characters.
• The file name is longer than 42 characters.
Note This problem only occurs when the e-mail message format is Rich Text.
• An application that implements the IMallocSpy debugging interface may experience heap corruption after you install security update 873333. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
894194 (http://support.microsoft.com/kb/894194/) An application that implements the IMallocSpy debugging interface may experience heap corruption after you install security update 873333
For more information about security release MS05-012, click the following article number to view the article in the Microsoft Knowledge Base:
873333 (http://support.microsoft.com/kb/873333/) MS05-012: Vulnerability in OLE and COM could allow remote code execution

Back to the top
RESOLUTION
Hotfix information
A supported hotfix is now available from Microsoft. For Windows XP SP2, the Generic Host Process error can potentially occur on any system at any time. Although you receive the error message shortly after system startup, the actual error occurred during the previous system shutdown. Because of the broad nature of this issue, this hotfix was made available through Windows Update and distributed to users who have Automatic Updates enabled to eliminate this problem on Windows XP SP2 systems. For Windows XP SP2, you may experience one last Generic Host Process error upon restart after you install this hotfix. This is from the previous system shutdown before the new version installation was completed.

For Microsoft Windows Server 2003 and Microsoft Windows 2000, this hotfix is only intended to correct the problems that are described in this article. Only apply this hotfix to systems that are experiencing this specific problem. This hotfix may receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows service pack that contains this hotfix. To resolve this problem immediately, download the hotfix from the following locations.
Windows Server 2003, 32-bit versions
The following file is available for download from the Microsoft Download Center:

DownloadDownload the WindowsServer2003-KB894391-x86-enu.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=C4B0D34C-2796-4BE1-B509-C7AFF9D593B0&amp;displaylang=en)
Windows Server 2003, Itanium-based Editions
The following file is available for download from the Microsoft Download Center:

DownloadDownload the WindowsServer2003-KB894391-ia64-enu.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=383B2763-6C82-4070-A1B1-1D00FE7C1622&displaylang=en)
Windows XP, 32-bit versions
The following file is available for download from the Microsoft Download Center:

DownloadDownload the WindowsXP-KB894391-x86-ENU.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=A87B44B9-7A6A-49B6-BD89-AFAD4E049C48&amp;displaylang=en)

Note This hotfix was made available through Windows Update and distributed to users who have Automatic Updates enabled.
Windows XP, 64-bit version (Itanium)
The following file is available for download from the Microsoft Download Center:

DownloadDownload the WindowsXP-KB894391-ia64-ENU.exe package now. (http://www.microsoft.com/downloads/details.aspx?FamilyId=6D111D8D-5649-4BAD-BEA8-3BDB92F3732B&amp;displaylang=en)
Windows 2000
The following file is available for download from the Microsoft Download Center:

DownloadDownload the Windows2000-KB894391-x86-ENU.exe package now. ( http://www.microsoft.com/downloads/details.aspx?FamilyId=5872F7D3-086E-41C0-A08C-437BACC3002F&amp;amp;amp;displaylang=en)

For more information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 (http://support.microsoft.com/kb/119591/) How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
Prerequisites
No prerequisites are required.
Restart requirement
You must restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace any other hotfixes.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Microsoft Windows Server 2003, 32-bit versions

Date Time Version Size File name Folder
------------------------------------------------------------------
20-Feb-2005 00:16 5.2.3790.275 1,192,448 Ole32.dll RTMQFE
20-Feb-2005 00:16 5.2.3790.275 72,192 Olecli32.dll RTMQFE
20-Feb-2005 00:16 5.2.3790.275 36,352 Olecnv32.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.141 26,112 Rpcproxy.dll RTMQFE
16-Mar-2004 03:17 5.2.3790.141 659,968 Rpcrt4.dll RTMQFE
20-Feb-2005 00:16 5.2.3790.275 294,912 Rpcss.dll RTMQFE
20-Feb-2005 00:06 5.2.3790.275 1,192,448 Ole32.dll RTMGDR
20-Feb-2005 00:06 5.2.3790.275 72,192 Olecli32.dll RTMGDR
20-Feb-2005 00:06 5.2.3790.275 36,352 Olecnv32.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.137 26,112 Rpcproxy.dll RTMGDR
16-Mar-2004 03:09 5.2.3790.137 660,992 Rpcrt4.dll RTMGDR
20-Feb-2005 00:06 5.2.3790.275 294,400 Rpcss.dll RTMGDR

Windows Server 2003, Itanium-based Editions

Date Time Version Size File name CPU Folder
-----------------------------------------------------------------------------
19-Feb-2005 22:16 5.2.3790.275 3,578,880 Ole32.dll IA-64 RTMQFE
19-Feb-2005 22:16 5.2.3790.275 223,744 Olecli32.dll IA-64 RTMQFE
19-Feb-2005 22:16 5.2.3790.275 89,088 Olecnv32.dll IA-64 RTMQFE
31-Mar-2004 01:25 5.2.3790.141 73,216 Rpcproxy.dll IA-64 RTMQFE
31-Mar-2004 01:25 5.2.3790.141 2,150,400 Rpcrt4.dll IA-64 RTMQFE
19-Feb-2005 22:16 5.2.3790.275 688,640 Rpcss.dll IA-64 RTMQFE
19-Feb-2005 22:16 5.2.3790.275 1,192,448 Wole32.dll x86 RTMQFE\WOW
19-Feb-2005 22:16 5.2.3790.275 72,192 Wolecli32.dll x86 RTMQFE\WOW
19-Feb-2005 22:16 5.2.3790.275 36,352 Wolecnv32.dll x86 RTMQFE\WOW
31-Mar-2004 01:26 5.2.3790.141 26,112 Wrpcproxy.dll x86 RTMQFE\WOW
31-Mar-2004 01:26 5.2.3790.141 544,256 Wrpcrt4.dll x86 RTMQFE\WOW
19-Feb-2005 22:06 5.2.3790.275 3,577,856 Ole32.dll IA-64 RTMGDR
19-Feb-2005 22:06 5.2.3790.275 223,744 Olecli32.dll IA-64 RTMGDR
19-Feb-2005 22:06 5.2.3790.275 89,088 Olecnv32.dll IA-64 RTMGDR
31-Mar-2004 01:29 5.2.3790.137 73,216 Rpcproxy.dll IA-64 RTMGDR
31-Mar-2004 01:29 5.2.3790.137 2,140,160 Rpcrt4.dll IA-64 RTMGDR
19-Feb-2005 22:06 5.2.3790.275 687,616 Rpcss.dll IA-64 RTMGDR
19-Feb-2005 22:06 5.2.3790.275 1,192,448 Wole32.dll x86 RTMGDR\WOW
19-Feb-2005 22:06 5.2.3790.275 72,192 Wolecli32.dll x86 RTMGDR\WOW
19-Feb-2005 22:06 5.2.3790.275 36,352 Wolecnv32.dll x86 RTMGDR\WOW
31-Mar-2004 01:29 5.2.3790.137 26,112 Wrpcproxy.dll x86 RTMGDR\WOW
31-Mar-2004 01:29 5.2.3790.137 542,208 Wrpcrt4.dll x86 RTMGDR\WOW

Note When you install this hotfix on a computer that is running Windows Server 2003, the installer checks to see if one or more of the files that are being updated on the computer have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to the computer. Otherwise, the installer copies the RTMGDR files to the computer.
Windows XP, 32-bit versions

Date Time Version Size File name Folder
-------------------------------------------------------------------
28-Apr-2005 19:33 5.1.2600.1675 1,190,400 Ole32.dll SP1QFE
28-Apr-2005 19:33 5.1.2600.1675 68,608 Olecli32.dll SP1QFE
28-Apr-2005 19:33 5.1.2600.1675 35,328 Olecnv32.dll SP1QFE
06-Mar-2004 02:16 5.1.2600.1361 535,552 Rpcrt4.dll SP1QFE
28-Apr-2005 19:33 5.1.2600.1675 275,456 Rpcss.dll SP1QFE
28-Apr-2005 18:35 5.1.2600.2665 1,286,144 Ole32.dll SP2QFE
28-Apr-2005 19:35 5.1.2600.2665 74,752 Olecli32.dll SP2QFE
28-Apr-2005 19:35 5.1.2600.2665 37,376 Olecnv32.dll SP2QFE
28-Apr-2005 19:35 5.1.2600.2665 396,288 Rpcss.dll SP2QFE
28-Apr-2005 19:31 5.1.2600.2665 1,285,120 Ole32.dll SP2GDR
28-Apr-2005 19:31 5.1.2600.2665 74,752 Olecli32.dll SP2GDR
28-Apr-2005 19:31 5.1.2600.2665 37,888 Olecnv32.dll SP2GDR
28-Apr-2005 19:31 5.1.2600.2665 395,776 Rpcss.dll SP2GDR

Windows XP, 64-bit version (Itanium)

Date Time Version Size File name CPU
--------------------------------------------------------------------
28-Apr-2005 18:30 5.1.2600.1675 4,356,608 Ole32.dll IA-64
28-Apr-2005 18:30 5.1.2600.1675 241,152 Olecli32.dll IA-64
28-Apr-2005 18:30 5.1.2600.1675 97,280 Olecnv32.dll IA-64
06-Mar-2004 01:07 5.1.2600.1361 2,317,824 Rpcrt4.dll IA-64
28-Apr-2005 18:30 5.1.2600.1675 784,896 Rpcss.dll IA-64
28-Apr-2005 18:33 5.1.2600.1675 1,190,400 Wole32.dll x86
28-Apr-2005 18:33 5.1.2600.1675 68,608 Wolecli32.dll x86
28-Apr-2005 18:33 5.1.2600.1675 35,328 Wolecnv32.dll x86
06-Mar-2004 01:16 5.1.2600.1361 509,440 Wrpcrt4.dll X86

Notes The Windows XP and Microsoft Windows XP Professional 64-Bit Edition (Itanium) 2003 versions of this hotfix are packaged as dual-mode packages. These dual-mode packages contain files for the original version of Windows XP Service Pack 1 (SP1) and files for Windows XP SP2.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
328848 (http://support.microsoft.com/kb/328848/) Description of dual-mode update packages for Windows XP
When you install this hotfix on a computer that is running Windows XP SP2 or Windows XP Professional 64-Bit Edition (Itanium) 2003, the installer checks to see if one or more of the files that are being updated on the computer have previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on the operating system:
• Windows XP SP2
The installer copies the SP2QFE files to the computer.
• Windows XP Professional 64-Bit Edition (Itanium) 2003
The installer copies the RTMQFE files to the computer.
If you have not previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on the operating system:
• Windows XP SP2
The installer copies the SP2GDR files to the computer.
• Windows XP Professional 64-Bit Edition (Itanium) 2003
The installer copies the RTMGDR files to the computer.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
824994 (http://support.microsoft.com/kb/824994/) Description of the contents of Windows XP Service Pack 2 and Windows Server 2003 software update packages
Windows 2000

Date Time Version Size File name
--------------------------------------------------------------
11-May-2005 05:55 5.0.2195.7034 957,712 Ole32.dll
11-May-2005 05:55 5.0.2195.7009 69,392 Olecli32.dll
19-Feb-2005 23:13 5.0.2195.7034 36,624 Olecnv32.dll
11-Mar-2004 20:29 5.0.2195.6904 449,808 Rpcrt4.dll
19-Feb-2005 23:13 5.0.2195.7034 212,240 Rpcss.dll

Back to the top
STATUS
This problem was corrected in security update 902400 (http://support.microsoft.com/kb/902400/).

Back to the top
MORE INFORMATION
If you have limited user accounts, which are user accounts that are not administrators, on the computer, individual error reports are saved and not sent until someone with an Administrative User account logs in. Because of this issue, you may receive multiple Windows error reports after you have installed the fix for the Generic Host Process error. If this behavior occurs, click Send Error Report for each report.
For more information about the standard terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:
824684 (http://support.microsoft.com/kb/824684/) Description of the standard terminology that is used to describe Microsoft software updates

Back to the top
Similar problems and resolutions
If you are still experiencing problems that are similar to those that this article describes, it may be a different problem than the problem that this article describes. Here is a list of articles that discuss similar problems. You can review these articles to try to address the problem:
821690 (http://support.microsoft.com/kb/821690/) Generic Host Process error message and a flashlight icon appear
931852 (http://support.microsoft.com/kb/931852/) Error messages when you start a Windows XP-based computer and then try to download Windows updates
939273 (http://support.microsoft.com/kb/939273/) You cannot deploy software updates on a computer that is running Microsoft Windows XP or Microsoft Windows Server 2003
932762 (http://support.microsoft.com/kb/932762/) The Service Host process may stop unexpectedly in Windows Server 2003
910666 (http://support.microsoft.com/kb/910666/) The Svchost.exe process may end unexpectedly on a Windows Server 2003-based computer
894538 (http://support.microsoft.com/kb/894538/) When Internet Authentication Service receives an unknown attribute in a packet, a Windows Server 2003-based Internet Authentication Service server stops responding
927385 (http://support.microsoft.com/kb/927385/) You receive an error message after a Windows XP-based computer runs an automatic update, and you may be unable to run any programs after you close the "svchost.exe - Application Error" error message dialog box
If the these articles do not help you to resolve the problem or if you experience symptoms that differ from those that this article describes, you might want to search the Microsoft Knowledge Base for more information. To search the Microsoft Knowledge Base, visit the following Microsoft Web site:
http://support.microsoft.com (http://support.microsoft.com/)
Then, type the text of the error message that you receive, or type a description of the problem in the Search Support (KB) field. Or, if you prefer, you might want to ask someone for help or contact support. For information about how to do this, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/

Safe mode operations in windows

2008-03-08T00:00:00.000-08:00

Many times in order to remove a piece of spyware or for troubleshooting and diagnostic purposes, you'll have to start Windows in Safe Mode. While in Safe Mode, only specific programs and files needed to run the operating system are loaded. Some functions, such as connecting to the Internet, will not be active in Safe Mode and a standard video driver will be loaded causing a washed out look and a possible change in resolution.

However, because just the essential programs and files are loaded in Safe Mode, this allows us to remove some spyware, adware, viruses and such that cannot be removed in Normal Mode. Follow the instructions below to Start Safe Mode for your specific version of Windows. If you are trying to delete a file that is not allowing you to delete it (even in Safe Mode
Included at the bottom of the article are instructions for starting Windows Vista in Safe Mode too.

Windows 95

* Restart the computer.
* Just after the POST diagnostics and memory count, start pressing the F8 key
* On the Startup Menu, choose Safe Mode

Windows 98/Me

* Restart the computer.
* Just after the POST diagnostics and memory count, start pressing the F8 key
* On the Startup Menu, choose Safe Mode

or you may use the System Configuration Utility Method.

* While in Normal mode, Close all programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* In the System Configuration Utility, on the General Tab, click the Advanced Button
* In the Advanced Troubleshooting Settings dialog box, check Enable Startup Menu. Click OK. Click OK again when the System Configuration Utility reappears.
* You will be prompted to restart the computer. Click Yes. The computer will restart in Safe mode.
* When you are finished with troubleshooting in Safe mode, open MSCONFIG again and uncheck "Enable Start-up Menu." under the Advanced Menu, then click OK and restart your computer

Windows 2000

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
* Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

Windows XP

If Windows XP is the only operating system installed on your computer, booting into Safe Mode with these instructions.

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected.
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with all troubleshooting, close all programs and restart the computer as you normally would.

To use the System Configuration Utility method

* Close all open programs.
* Click Start, Run and type MSCONFIG in the box and click OK
* The System Configuration Utility appears, On the BOOT.INI tab, Check the "/SAFEBOOT" option, and then click OK and Restart your computer when prompted.
* The computer restarts in Safe mode.
* Perform the troubleshooting steps for which you are using Safe Mode.
When you are finished with troubleshooting in Safe mode, open MSCONFIG again, on the BOOT.INI tab, uncheck "/SAFEBOOT" and click OK to restart your computer

Windows as part of a multiboot system

Use this method ONLY if you have multiple operating systems installed on your computer.

* If the computer is running, shut down Windows, and then turn off the power
* Wait 30 seconds, and then turn the computer on.
* When the Boot loader menu (list of the available operating systems) appears, use the arrow keys on the keyboard to select the version Windows what you want
* Press Enter, and then immediately begin tapping the F8 key. The Windows Advanced Options menu appears.
* Scroll to and select the Safe mode menu item, and then press Enter.

Windows Vista

Windows Vista is similar to Windows XP for starting in Safe Mode.

* Turn the computer on or Restart the computer
* Start tapping the F8 key. The Windows Advanced Boot Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe mode option is selected (the top option)
* Press Enter. The computer then begins to start in Safe mode.
* When you are finished with troubleshooting, close all programs and restart the computer as you normally would.

How to Disable System Restore in Windows ME, Windows XP, and Windows Vista

2008-03-07T22:02:00.000-08:00

One of the best features of Windows ME, XP, or Windows Vista is the System Restore option, however if a virus infects a computer with this operating system the virus may be accidentally backed up because of this feature. In order to completely remove a virus on these operating systems, you should disable System Restore before cleaning the system, then reenable it after the system is clean.

Follow the instructions below to disable System Restore

Disabling System Restore on Windows ME

1. Click Start, Settings, and then click Control Panel.
2. Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

3. Click the Performance tab, and then click File System.
4. Click the Troubleshooting tab, and then check Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.

Once you have cleaned the virus or other problem from the computer, reenable System Restore by following these directions

To enable Windows Me System Restore:

1. Click Start, point to Settings, and then click Control Panel.
2. Double-click System, and then click the Performance tab.
3. Click File System, and then click the Troubleshooting tab.
4. Uncheck Disable System Restore.
5. Click OK. Click Yes, when you are prompted to restart Windows.

Disabling System Restore on Windows XP

IMPORTANT NOTES:

You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
Turning off System Restore will clear out all previous restore points.
To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do; for example, virus removal. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows XP System Restore: 1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.

Starting System Restore From a Command Prompt in Windows XP

1. Restart your computer or turn the computer on
2. Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
3. Select the "Safe Mode with Command Prompt option" and press Enter
4. Log on to the computer with an administrator account
5. Type the following at the command prompt and press Enter

%systemroot%\system32\restore\rstrui.exe

6. Follow the onscreen instructions to restore your computer to an earlier time.

Re-enabling System Restore in Windows XP via the Group Policy Editor

In some cases, System Restore is disabled via the Group Policy Editor. In these cases, System Restore does not show up as a tab under My Computer Properties in Windows XP. If it doesnt show up, the question becomes how do you turn it on in the first place. To re-enable System Restore via the Group Policy Editor, follow these directions:

1) Start the Group Policy Editor by clicking on Start, Run and typing gpedit.msc in the Run box and pressing Enter
2) In the left hand column, click on Computer Configuration, Administrative Templates, System, System Restore
3) In the right hand column, set Turn off System Restore and Turn off Configuration to Disable
4) Minimize the Group Policy Editor
5) Right click on My Computer and Select Manage
6) In the right hand column, double click on Services and Applications, then Services
7) Find the System Restore Service and double-click to open
8) On the General tab set [Startup Type] to Automatic using the drop down list
9) Click the Start button to start the service
10) Close the Computer Management console
11) Maximize the Group Policy Editor and set Turn off System Restore and Turn off Configuration to Not Configured
12) Close Group Policy Editor and reboot the system.
13) Once the system is rebooted, Click on Start, Right-click on My Computer, click on Properties and the System Restore tab should appear again.

Disabling System Restore on
Windows Vista To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

How to Delete Individual Entries from the Internet Explorer Address Bar

2008-03-03T21:58:00.000-08:00

How to Delete Individual Entries from the Internet Explorer Address Bar

Whenever you type an address directly into the Internet Explorer's address bar, the URL will be saved in IE's history. If you pull downdown this list later, those URLs will show up. Because of privacy and security concerns, you may want to delete these entries periodically. Although you can remove the website URLs from the address bar dropdown list by clearing the history from Internet Explorer, its tougher to delete individual addresses from this list without some registry editing.

I'll show you how to edit the Windows registry to delete individual entries, as well as a couple free programs that can delete or even edit these URLs.

Manually Editing the Registry to Remove Typed URLs

Use the following directions to delete individual URLs from the Address Bar list in Internet Explorer

1) Click on Start, Run
2) Type REGEDIT and press Enter or Click OK
3) Click on the pluses(+) next to the following folders

HKEY_CURRENT_USER
Software
Microsoft
Internet Explorer
Typed URLs
4) You'll find a list similar to the following in the right hand column. Right-click in the NAME column and delete the desired URL.

5) Close the Registry Editor
6) Close all open Internet Explorer windows
7) Reopen Internet Explorer and the unwanted URL in the address dropdown list should be gone.

How to Delete Individual URLs from FireFox Address Bar

In Firefox, its much easier to delete individual URLs. Simply drop down the address bar list and highlight the unwanted URL. Then press CTRL-DELETE on the keyboard to delete the individual unwanted address.

Programs to Delete, Edit or Change Typed URLs in the IE Address Bar

EditURLs - Free browser tool that provides the user with the capability to edit individual URL addresses in Internet Explorer's Address Bar. These URL addresses are also referred to as "Typed URLs"

IE Address Bar Editor Another freeware program to remove individual URLs, although not quite as easy to use as EditURLs.

Why Can't I Change My Desktop Wallpaper?

2008-03-03T21:54:00.000-08:00

Why Can't I Change My Desktop Wallpaper?

If you have tried to change your wallpaper on your Windows desktop and it won't change, there is generally two reasons: an active desktop issue or a registry issue.

Active Desktop allows you to add interactive features to your normal desktop wallpaper. You can set a web page for instance to be your desktop background. However, many times active desktop will cause problems with changing your background wallpaper and other issues.

If active desktop is already turned off, then the problem is generally a windows registry issue usually caused by spyware or adware.

Is Active Desktop Turned Off?

The inability to change your desktop wallpaper or background, can many times be traced to Active Desktop. Follow the steps below to remove any web objects from displaying on your background.

1) Click on Start, Control Panel
2) Double-click on Display
3) Click on the Desktop tab
4) Click on the Customize Desktop button
5) Click on the Web tab
6) Uncheck any items listed under Web pages
7) Click Ok and then click Ok one more time to close the window.

Your Active Desktop wallpaper should be removed, now try to change your background wallpaper. If you still can't change your wallpaper background, proceed to the next section.

Fix Registry Entry

Sometimes a piece of spyware or adware can change your wallpaper background and won't let you change it back. Generally if you go into the Display Settings and Click on the Desktop tab, the options for changing the background will be disabled or greyed out. Removing the following entry from the registry usually fixes this problem.

1) Click on Start, Run
2) Type REGEDIT and Press Enter
3) Click the plus signs(+) next to the following sections of the registry

HKEY_CURRENT_USER
Software
Microsoft
Windows
CurrentVersion
Policies
System
4) Look for the WALLPAPER key on the right hand side
5) Right-click and Delete this entry
6) Close the Registry Editor

Now try to change the desktop background. In most cases this will solve the problem.

How to Use Remote Desktop to

2008-02-17T23:23:00.000-08:00

One of the best features of Windows XP Professional and some versions of Windows Vista is Remote Desktop. However, what if you need to access more than one computer at home while on a trip?
This article will show you how to setup a second (or even a third) computer to be accessed remotely.

What are Ports and How Do They Work?

Computers have different ports that are assigned specific numbers. These ports allow information into and out of the computer. For instance, port 80 is used by the web, while port 23 is used by FTP programs. Firewalls block information from accessing the ports on a computer unless the firewall is specifically told to allow something through. For this reason, we need to be able to setup each remotely accessed computer with a separate port and tell the firewall which computer is using each port.

Remote Desktop Ports

Windows Remote Desktop uses port 3389 to send and receive data. So the first computer being accessed remotely will be assigned this port to use for Remote Desktop. While the other computers in the local area network will be assigned sequential numbers starting with 3390. So, the second computer would be given port 3390, the third would use port 3391 and so on.

Follow the directions below to change the listening port for Remote Desktop and each computer you wish to access remotely.

1) Click on Start, Run
2) Type REGEDIT and press Enter
3) Click on the plus signs (+) next to the following sections in the Registry Editor

HKEY_LOCAL_MACHINE
System
CurrentControlSet
Control
TerminalServer
WinStations
RDP-TCP
4) In the right-hand column find the section called PortNumber
5) Double-click on the name PortNumber
6) Choose the Decimal option under Base and type the correct port number using the information above.
7) Click OK
8) Close the Registry Editor
9) Repeat this procedure on each computer you wish to access remotely along with the steps involved in setting each computer up to use Remote Desktop.

Changing the Firewall to Allow Access

Now that each computer is assigned a unique port to use for Remote Desktop, you'll have to tell the firewall running on each computer to allow that port through. Follow these steps to change the Windows Firewall to allow access.

1) In the Control Panel, click on the option for Security Center
2) Click on Windows Firewall under the heading "Manage Security Settings For"
3) Verify Windows Firewall is turned on
4) Click on the Exceptions tab
5) Click on the Add Port button
6) In the Name field, type REMOTE DESKTOP 2
7) In the Port field, type the port you assigned to the computer in the previous section: 3389, 3390, etc.
8) Choose TCP as the protocol and Click OK
9) Verify that there is a checkmark for the option REMOTE DESKTOP 2 and Click OK

Changing Your Router to Allow Access

Lastly, you'll need to make a change in your router for each computer you want to access. This change is called Port Forwarding and a friend of mine has created a great site called PortForward.com to explain how to do this. Depending on your router the procedure is slightly different, however there are great tutorials on portforward.com to explain this.

Each computer you want to access must have its own static ip address on your network. There are two steps involved in setting a static IP address for each computer: discover your current ip address and assign the current ip address to your computer.

Discover the Current IP Address on your computer

1) Click on Start, Run
2) Type CMD and press Enter
3) At the blinking cursor, type IPCONFIG /ALL and press Enter (remember there is a space between IPCONFIG and /ALL)
4) Find the section for the Connected Ethernet Adapter and write down the following information

IP Address
Subnet Mask
Default Gateway
DNS Servers
5) Type EXIT and press Enter to close the window

Assign the Current IP Address to Your Computer as a Static IP

1) Click on Start, Control Panel
2) In Classic View: Open Network Connections
In Category View: Select Network and Internet Connections, then click on Network Connections
3) Right-click on your active LAN or Internet connection
4) Click on Properties
5) In the General tab, highlight Internet Protocol (TCP/IP) and click Properties
6) Under the General tab, click Use the following IP Address and enter the information you wrote down in the previous section for this computer including

IP address
Subnet mask
Default gateway
7) Click the option for Use the following DNS server addresses and enter the DNS servers your router is using
8) Click OK and then click OK again to leave the Network Settings section
9) Restart your computer
10) Follow the procedure above to check your current IP address and verify its the same as before
11) Finally, test the connection and make sure you can access the Internet.
Port Forward the Remote Desktop Port

Now you are ready to modify your router to port forward the remote desktop port number to the correct computer. Use the tutorials on PortForward.com to make changes to your router. Although the specific information will be different for your situation, you'll forward the port you assigned for Remote Desktop to the static IP address you assigned for that particular computer. If you have three computers you are trying to reach with Remote Desktop, then you'll have three entries in the port forward section of your router to accomplish this.

Also, its best if your internet connection to your LAN is assigned a static IP by your ISP. If you dont have a static IP, you will find it harder to connect because your IP will change each time your router is rebooted. To discover your current LAN IP, go to the website WhatIsMyIP.COM and it will show you your current IP.

As an alternative, you can sign up for a free Dynamic DNS account to track your IP and be able to access your network. You can sign up for DynDNS by visiting their site at http://www.dyndns.com

Using the Remote Desktop Connection to Connect to Each Computer

Now, you can test the remote desktop connections from another location.

1) On your laptop or another computer not connected to your LAN, open the Remote Desktop Connection software under Accessories and Communications
2) On the Remote Desktop screen type the IP of the network you want to connect to followed by a colon and the port number you wish to connect to.

Example: 215.76.43.5:3390

3) Finally click connect and see if you can reach your computer. If the connection is successful, you will be presented with the login screen for your computer, type your username and password and click Ok to access your computer.
4) Test this connection for each computer you wish to connect to behind your local area network.

NOTE: You'll have to log into an account on your computer has been assigned a password. If you don't have a password assigned, you'll need to assign one before using Remote Desktop to connect.

How to Fix Problems Viewing Secure Websites

2008-02-12T06:31:00.000-08:00

Occasionally you may run across a problem where you cant view a secure (HTTPS) web site using a browser like Internet Explorer, Netscape, or Firefox. This could be caused by a variety of issues, so I have compiled a list of troubleshooting steps to resolve this problem.
First, you'll want to see if the problem lies with ALL secure websites or just one. If the problem appears to be with accessing just one site, then then issue is usually with the secure certificate associated with the site and only the site owner will be able to resolve this issue. On the other hand, if the problem persists will ALL secure websites then you'll want to follow the steps below to troubleshoot and fix the problem.

Do you receive an IE Security Alert like the following? Telling you the security certificate has expired or not yet valid?

Check your date and time settings

If this is the case, the first thing you want to check is the time and date settings on your computer to make sure they are correct. Follow the steps below to check this:

1) Double click on the time in the bottom right hand corner of the screen in the System Tray
2) Correct any errors in the date and time and click OK to set it
3) Try the secure website that you were previously having trouble accessing

If you are still having trouble accessing it, proceed on to the next section.

Check your settings for your Antivirus and Firewall

Many times a problem with your antivirus or firewall can cause this issue. If you are using Norton Internet Security or Norton Personal Firewall, follow these steps to reset your privacy controls.

1) Open Norton Internet Security or Norton Personal Firewall.
2) In the right pane, click Privacy Control.
3) Click Configure.
4) Click Default Level.
5) Click OK.
6) Restart your computer and try to access the secured site again.

If this doesnt fix it, temporarily disable your antivirus or firewall and try the site again. If you can access the site after temporarily disabling your antivirus or firewall, then you'll want to repair or reinstall your firewall or antivirus to fix this.

For Norton Antivirus or Firewall, there is a good article here walking you through this procedure.

If, however, this doesnt fix the problem, proceed to the next section.

Check your browser's Cipher Strength

1) In Internet Explorer, click on Help, About
2) In the About screen, find the option for Ciper Strength

3) If the Cipher Strength is 0 or anything but 128-bit, then the problem is with the security of the browser. Follow the steps in the following Microsoft Support article to fix this.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q261328

Fixing other Problems with IE

If fixing the cipher strength does not fix the issue, then its time to look at other problems with Internet Explorer. A great tool for fixing IE problems is a program call IEFIX, you can download this file from the link below and run it to fix misc issues with IE.

How to Disable/Enable the Windows XP Welcome Screen?

2008-02-12T06:28:00.000-08:00

Windows XP gives the user a couple ways to log into the computer. You can use the traditional or classic method of typing in the username and password to login or you can use what's called the Welcome Screen to login.
What if you want to change the way your computer logs in, can you disable or enable this Welcome Screen?

The Windows XP Welcome Screen is tied to another feature called "Fast User Switching". This feature lets a user leave all his programs running if another user needs to use the computer. The first user can Log Off the session and Switch User back to the Welcome Screen so that another person can use the computer. When the second person is done, the user can switch back to his profile with all the programs still running where they left off. In order to use this feature, you have to use the Welcome Screen. However, if you dont need or want this feature, follow the instructions below to remove the Welcome Screen.

Remove the Welcome Screen

If you dont want to use "Fast User Switching", you may want to disable the Welcome Screen. You must be logged in as an Administrator to do this. Note:To do this follow the directions below:

1) Click on Start
2) Click on Control Panel
3) Double-click on User Accounts
4) Click on "Change the way users log on or off"
5) Uncheck "Use the Welcome Screen" (note: this will also disable "Fast User Switching")
6) Click on Apply Options
7) Close the User Accounts window and the Control Panel
8) The next time you reboot your computer, the classic login prompt will be used

What if I dont want the Welcome Screen OR the classic prompt? Can I disable both?

To Login automatically to a user account, follow the instructions below:

1) Click on Run
2) Type in the following command and click OK

control userpasswords2

3) Highlight the user you want to log into automatically, then uncheck the box for

"Users must enter a username and password to use this computer"

4) Click on Apply and you'll be asked to verify the username and password to log in automatically
5) Click OK and the next time you restart your computer, you'll automatically be logged in without having the classic prompt or Welcome Screen.

Is there a utility I can use to accomplish this?

You can download a utility for Windows XP called TweakUI that will allow you to change the way you log into Windows XP, along with allowing you to change alot of other features.

You can download TweakUI for Windows XP from the Microsoft Powertoys web page at

http://www.microsoft.com/windowsxp/downloads/powertoys/xppowertoys.mspx

Another Welcome Screen Issue

If you have recently installed a Netgear WG111 USB wireless network adapter, you might not be able to enable the Welcome Screen or Fast User Switching, click here to solve this problem

Cannot Access Regedit, How to Fix It?

2008-02-12T06:26:00.000-08:00

Cannot Access Regedit, How to Fix It?Many times when working on a computer that has been infected with a virus, trojan, or piece of spyware I find myself with my most important command, Regedit, the Windows Registry Editor being disabled. Virus creators like to disable the Registry Editor so it makes solving the problem and removing the issue difficult.

Sometimes administrators in IT departments may place restrictions on using the regedit command to keep employees from changes things on company computers, but viruses and other issues may also try to disable it.

Listed below you will find the different ways to enable regedit, the Registry Editor.

First we'll begin with the method that appears to work the best.

Method 1 - Enabling the Registry with VBScript

Doug Knox, a Microsoft Most Valuable Professional, has created a VBScript that enables or disables the Registry Editor based on the following location in the registry. Of course, since the registry editor is disabled, you can't change it manually, so Doug wrote a Visual Basic Script to accomplish the task.

HKey_Current_User\Software\Microsoft\Windows\CurrentVersion\Policies\System\

Visit Doug's page and download Registry Tools VBScript to your desktop, double-click on it to run it, then reboot your computer and try to open the Registry Editor.

If this fix didn't solve your problem, try method two shown below.

Method 2: Use Symantec's tool to reset shell\open\command registry keys

Sometimes worms and trojans will make changes to the shell\open\command registry entries as part of their infections. This will cause the virus to run each time you try to run an .exe file such as the Registry Editor. In these cases, visit Symantec's website and download the UnHookExec.inf file to your desktop. Right-click on it and choose Install. Restart your computer and then try to open the Registry Editor.

Method 3: Rename Regedit.com to Regedit.exe

Some viruses and other malware will load a regedit.com file that is many times a zero byte dummy file. Because .com files have preference over .exe files when executed if you type REGEDIT in the run line, it will run the regedit.com instead of the real regedit.exe file.

Delete the regedit.com file if its a zero byte file to restore access to REGEDIT. In some cases, such as the W32.Navidad worm, you'll need to rename the REGEDIT file to get it to work.

Method 4: Windows XP Professional and Group Policy Editor

If you have Windows XP Professional and access to an administrative user account, you could change the registry editor options in the Group Policy Editor.

Click Start, Run
Type GPEDIT.MSC and Press Enter
Go to the following location

User Configuration
Administrative Templates
System

In the Settings Window, find the option for "Prevent Access to Registry Editing Tools" and double-click on it to change.
Select Disabled or Not Configured and choose OK
Close the Group Policy Editor and restart your computer
Try opening REGEDIT again
Although there are a few other ways, the above ways I have used with great success in re-enabling the REGEDIT command. If you are interested in more ways to reactive the REGEDIT command, you may want to visit a site called Killian's Guide, that goes into more detail on a variety of ways to get the registry editor to work again.

Task Manager Has Been Disabled, How to Fix It?

2008-02-12T06:24:00.000-08:00

Task Manager Has Been Disabled, How to Fix It?

Many times when working on a computer that has been infected with a virus, trojan, or piece of spyware I find myself with the Task Manager being disabled. Malware creators like to disable Task Manager so it makes solving the problem and removing the issue difficult.

If this happens you'll normally have to edit the Windows registry to fix the problem. A restriction has been placed on the user to not allow them to run Task Manager, this might be ok in an office environment where the IT department wants to control things, but in a home office this can cause major problems trying to fix a malware or virus issue.

Listed below you will find the many ways to reenable Task Manager along with an automatic method that works wonders.

First we'll begin with the various registry modification methods for correcting this problem.

Method 1 - Using the Group Policy Editor in Windows XP Professional

Click Start, Run, type gpedit.msc and click OK.
Under User Configuration, Click on the plus (+) next to Administrative Templates
Click on the plus (+) next tSystem, then click on Ctrl+Alt+Delete Options
Find Remove Task Manager in the right-hand pane and double click on it
Choose the option "Not Configured" and click Ok.
Close the Group Policy Window
Method 2: Change the Task Manager Option through the Run line

Click on Start, Run and type the following command exactly and press Enter
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Method 3: Change Task Manager through a Registry REG file

Click on Start, Run, and type Notepad and press Enter
Copy and paste the information between the dotted lines into Notepad and save it to your desktop as taskmanager.reg
------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
-------------------------------------

3. Double click on the taskmanager.reg file to enter the information into the Windows registry

Method 4: Delete the restriction in the registry manually

Click on Start, Run, and type REGEDIT and press Enter
Navigate to the following branch

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System

In the right pane, find and delete the value named DisableTaskMgr
Close the registry editor

Method 5: Download and Run FixTaskManager program

Click on the following links and download the program FixTaskManager to your Desktop

Main Site

Backup Location

Double-click on the file FixTaskManager on your desktop and run it

Click to Run an ActiveX Control on this webpage"

2008-02-12T06:21:00.001-08:00

How to Fix
"Click to Run an ActiveX Control on this webpage"
Prompt

Are you receiving a windows prompt asking you to "click to run an ActiveX control on this webpage"? If so, here why you are receiving it and how to fix it.
The change was included in a recent Windows update because of a patent infringement lawsuit between Eolas Technologies and the Regents of the University of California v. Microsoft. Because of this lawsuit, Microsoft is changing the way Internet Explorer handles ActiveX controls. These changes will be in Internet Explorer 7. However, to allow developers a chance to change their code. The change was included in the April Security update (KB912812).

This is why you are receiving the following prompt when visiting some ActiveX web pages.

How to Correct this Problem

1) Download the following Compatibility Patch to revert the IE Active X Control Behavior

http://www.microsoft.com/downloads/details.aspx?familyid=B7D9801B-4FB5-492E-903E-3400ABF1D731&displaylang=en

2) Install it and reboot your computer

3) Try the webpage you were receiving the prompt on

This should fix the issue for the time being, however when IE 7 is released this prompt will appear on web pages that have not changed the way they handle ActiveX components.

Network Icon Does Not Open the Local Area Connection Status Window After You Bring Your Computer out of Standby

2008-02-12T06:17:00.000-08:00

Network Icon Does Not Open the Local Area Connection Status Window After You Bring Your Computer out of Standby

After you bring your Windows 2000-based computer out of the standby state and then click the network icon in the notification area, at the far right of the taskbar, the Local Area Connection Status window does not open.
Back to the top

A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/contactus/?ws=support (http://support.microsoft.com/contactus/?ws=support)
Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Prerequisites
This hotfix requires Windows 2000 Service Pack 3 (SP3) or later.
Restart Requirement
The hotfix installer will tell you if you have to restart the computer.
Hotfix Replacement Information
This hotfix does not replace any other hotfixes.

File Information
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Date Time Version Size File name
--------------------------------------------------------------
20-May-2003 22:28 5.0.2195.6683 55,568 Clusapi.dll
12-Mar-2003 18:02 5.0.2195.6683 67,760 Clusnet.sys
11-Apr-2003 00:40 5.0.2195.6735 683,280 Clussvc.exe
20-May-2003 22:28 5.0.2195.6660 95,504 Netman.dll
20-May-2003 22:28 5.0.2195.6747 474,896 Netshell.dll
12-Mar-2003 18:02 5.0.2195.6683 54,544 Resrcmon.exe

WORKAROUND
To work around this problem, open Local Area Connection Status by using the Start menu. To do this, follow these steps:1. Click Start, point to Settings, and then click Network and Dial Up connections.
2. In the Network and Dial-up Connections window, right-click Local Area Connection, and then click Status

Network Connections won't open in Windows XP

2008-02-12T06:13:00.000-08:00

both computers could get online but one computer could not open the Network Setup Wizard or Network Connections control panel. Everything worked ok, except the second computer could not see this computer on the network or its shared files or printers.

After making sure both were using the same workgroup name and each had different computer names. Because I could not open the network connections control panel, it wasnt possible to check anything there. I opened a command prompt and tried getting the computer's IP information using the command

IPCONFIG /ALL

Unfortunately I was presented with a message stating the command could not run because of a missing file called WTSAPI32.DLL.

I proceeded to run System File Checker to check for any missing windows files on the computer by following these instructions:

1) Place your Windows XP CD in the CD-ROM Drive and close any autorun screen from Windows XP that may pop up.
2) Click on Start, Run
3) Type SFC /SCANNOW and press Enter to start the System File Checker for Windows XP

If any system files are missing, the program will reinstall the missing files from the Windows XP CD you placed in the CD Drive.

Unfortunately, after running the System File Checker and replacing a couple files then rebooting, I still wasn't able to run IPCONFIG and it still complained about the missing WTSAPI32.DLL file. This DLL file is part of Windows Terminal Server and contains application programming interface (API) calls used by terminal services.

I proceed to manually restore this WTSAPI32.DLL file from the Windows XP CD using this procedure.

1) Place your Windows XP CD in the CD-ROM Drive and close any autorun screen from Windows XP that may pop up.
2) Click on Start, Run
3) Type CMD and press Enter to open the command prompt
4) Type the following command to replace the dll file, substituting the correct drive letter for your CD-ROM drive. In this case replace the D drive letter with the letter corresponding to your CD drive where the Windows XP CD is located. Press Enter after typing the command.

expand D:\I386\WTSAPI32.DL_ C:\WINDOWS\SYSTEM32\WTSAPI32.DLL

5) You should see a screen showing the file being expanded and replaced.
6) Type EXIT and Press Enter to close the command prompt
7) Restart your computer

After restarting the computer, I was able to open the Network Connection icon in the Control Panel, run the Network Setup Wizard, and more. The computers could see each other again, and I was able to share a printer and make everything work correctly.

"This Device Cannot Start. (Code 10)" USB error

2008-02-12T06:11:00.000-08:00

If you have plugged in a USB device (usually a mass storage device) into a computer and it doesnt work, here are some basic troubleshooting steps to resolve the problem.
First, you want to rule out any problems with the device itself. A good way to do this is to plug the USB device into a different computer to see if it works there. If it does not work in a different computer, then the problem is with the device itself. USB devices, although very handy and portable can fail just like any other device.

However, if the USB device works in another computer system, then the problem lies with the configuration of the computer where the device did not work.

Follow the steps below to troubleshoot this scenario and make your USB device work again.

1) If you are using a USB cable with your device, check the cable to make sure it matches the speed of the device. Use USB 2.0 cables with USB 2.0 devices and USB 1.1 cables with USB 1.1 devices. Swap cables and check the device, if this does not work, proceed to Step 2.

2) Next, open Device Manager and look under the heading for USB Serial Bus Controllers. If there is a device with a yellow exclamation mark next to it such as USB Mass Storage Device. Double-click on the entry and check the Device Status. If the status shows something like

"This device cannot start. (Code 10)"

proceed to Step 3.

3) The easiest way to solve a USB error code 10 in Windows XP is to follow the steps below to remove and reinstall all USB controllers.

A. Click on Start
B. Right Click on My Computer, click on Properties
C.Click on the Hardware tab
D. Click the Device Manager button.
E. Expand Universal Serial Bus controllers section.
F. Right-click every device under the Universal Serial Bus controllers node, and then click Uninstall to remove them one at a time.
G. Restart the computer, and allow the computer to reinstall the USB controllers.
H. Plug in the removable USB storage device, and then test to make sure that the issue is resolved.

What's so important about Internet Privacy?

2008-02-12T06:04:00.000-08:00

Every time you open a browser to view a web page, order something online, or read your email in a web based viewer that information is stored on your computer for later use. Whether you are viewing the weather online, reading sports, catching up on the latest world news or viewing something a little more private, all that information is stored in your computer. Windows operating systems store all this material in what are called Temporary Internet Files or cache. Web pages may store bits of information about who you are when you visit web sites in files called cookies on your computer. Your web browser will store a list of web sites you've visited and places you've gone in a history file in your computer. Even if you are not online, programs will store histories of the files you've opened, played, or viewed.

Generally there might not be any reason to worry about all these files in your computer, but what if you sell your computer and all that information is left for someone else to see. Maybe friends and relatives visit and use your computer and you dont want everyone to know what files you are running on your computer. Then you are going to want to know how to delete these files.

Even if you are not worried about privacy on your computer, you may be surprised to realize how much hard drive space all this information takes up. If you are running out of drive space, you may want to delete these files.

How can I delete these files?

For Internet Explorer 5 and above, you can follow these directions to clear out temporary files and delete cookies.

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive.

To clear the Internet History in IE:

1) Open Internet Explorer and click on Tools
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Clear History
4) Click OK

To clean up other temporary files on your computer in Windows 98 or higher:

1) Click Start, Programs (or All Programs), Accessories, System Tools, Disk Cleanup
2) Choose the correct drive usually C:\
3) Check the boxes in the list and delete the files

How to Delete Your Windows Vista Logon Password

2008-02-12T06:01:00.000-08:00

When Windows Vista first installs, it asks you for a password for your account. Then each time you log onto the computer you have to type the password in before you can access Windows Vista.

This security feature is nice to keep your information separate and private from the other users on the computer. However if you are the only user on your PC and the password prompt is annoying, you may want to consider removing the password and bypassing the logon process altogether.

Listed below you'll find the simple and quick procedure for removing your Vista password.

1) Click on Start, then Click on Control Panel

2) Click on the User Accounts and Family Safety link

NOTE: if you are in the Classic View of Control Panel, you won't see this link, continue on to step 3

3) Click on the User Accounts option

4) In the "Make changes to your user account" section, click the Remove your Password link for the user.

5) On the next screen, enter your current password

6) Click the Remove Password button to confirm that you would like to remove your account password.

7) Close the User Accounts window

8) Restart your computer and test the system.

Now that your Windows Vista user password has been removed, you will no longer need to log inot Windows Vista. Instead when your computer starts, it will now continue loading through to your desktop automatically.

How to Delete Undeletable Files in Windows

2008-02-12T05:58:00.001-08:00

Many times when trying to remove an unwanted program, especially a piece of adware or spyware, you may run across a file that is undeletable by any normal method. When you try to remove it you'll receive the error message shown below telling you "access denied" and explaining the file may be in use. You may also receive one of the following messages.

Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.

So if the file is in use, how do you delete it?

I'll show you several ways of removing these types of files and even some freeware programs that help you remove these pesky undeletable files.
href="http://3.bp.blogspot.com/_IUcmRObi58k/R7GmM5aMgII/AAAAAAAAAEA/_DutbVd9yUM/s1600-h/errordeleting.jpg">

Windows 95/98/ME

If you are using Windows 95, 98, or Windows ME, the easiest way to remove an undeleteable file is to boot to a DOS prompt and manually delete the file. Before you do this, you'll want to make a note of the location of the file including the entire path to it. Follow the steps below to delete these types of files.

If you already know the path to the file, please skip to Step 7

Click on Start, Find, Files and Folders
Type the name of the undeletable file in the Named or Search For box
Make sure the Look In box shows the correct drive letter
Click on Find Now or Search Now and let the computer find the file
Once the file is located, right-click on it and choose properties, make a note of the file location. Usually this is something similar to

c:\windows\system32\undeleteablefilesname.exe

Close the search box
Locate a boot disk for your version of Windows, if you do not have a boot disk, follow the steps on the link below to create an emergency boot disk.

How to Create an Emergency Boot Disk for Windows

Shut down and restart your computer with the boot disk in your floppy drive.
The computer will boot to a DOS prompt that will look similar to

c:\

Type the following command and press Enter to delete the filer, substituting the phrase with the actual path and file name you discovered in Step 5 above.

del

Example:

del c:\windows\undeleteablefile.exe

Remove the boot disk in the floppy drive and restart your computer
The file should now be deleted.
Windows XP

In Windows XP, there are a couple ways to remove an undeleteable file, a manual way, and a couple automated ways using some freeware programs. First, I'll show you the manual way.

Manual Method

If you already know the path to the file, please skip to Step 7

Click on Start, Search, All Files and Folders
Type the name of the undeletable file in the box shown
Make sure the Look In box shows the correct drive letter
Click Search and let the computer find the file
Once the file is located, right-click on it and choose properties, make a note of the file location. Usually this is something similar to

c:\windows\system32\undeleteablefilesname.exe

Close the search box
Click on Start, Run, and type CMD and Press Enter to open a Command Prompt window
Leave the Command Prompt window open, but proceed to close all other open programs
Click on Start, Run and type TASKMGR.EXE and press Enter to start Task Manager
Click on the Processes tab, click on the process named Explorer.exe and click on End Process.
Minimize Task Manager but leave it open
Go back to the Command Prompt window and change to the directory where the file is located. To do this, use the CD command. You can follow the example below.

Example: to change to the Windows\System32 directory you would enter the following command and Press Enter

cd \windows\system32

Now use the DEL command to delete the offending file. Type DEL where is the file you wish to delete.

Example: del undeletable.exe

Use ALT-TAB to go back to Task Manager
In Task Manager, click File, New Task and enter EXPLORER.EXE to restart the Windows shell.
Close Task Manager

Programs to automatically delete a file

Remove on Reboot Shell Extension

This is a nice extension that loads into the right click menu. All you have to do is right-click on a file and choose "Remove on Next Reboot" and the file will be deleted the next time the computer restarts. Although it probably should only be used by more advanced computer users since it may be TOO easy to delete files using this program.

Pocket Killbox

A simple .exe file that you can use to delete undeleteable files, although the program will also delete temporary files, edit the HOSTS file, and more. A definite must have program when you are fighting an annoying spyware or adware program that won't remove.

Unlocker

Unlocker is another program that runs from the right click menu. Its simple and very effective. The website even has a side by side comparision of other programs that accomplish this task.

Using one of the three tools shown above, you should be able to remove those annoying undeleteable files once and for all.

What is the Anna Kournikova Virus?

2008-02-12T05:57:00.001-08:00

This is a Visual Basic Script virus similar to the ILOVEYOU Virus that circled the globe in 2000. It mass mails the virus as an attachment called ANNAKOURNIKOVA.JPG.VBS via Microsoft Outlook. If the current system date is January 26th, this virus tries to connect to a computer shop web site in the Netherlands. The virus can also be found on a UseNet newsgroup, microsoft.publick.opk.windows9x. The script attempts to mail itself to all recipients found in the Windows Address Book.

This virus was first discovered in August 2000, but made a comeback in February 2001 as well. The virus is sent using the following email:

Subject: Here you have, :0)
Body:
Hi:
Check This!

Attachment: AnnaKournikova.jpg.vbs

Changes the Virus Makes to the Windows Registry

The virus creates the following changes to the Windows Registry that should be deleted

HKEY_USERS\.DEFAULT\Software\OnTheFly
HKEY_USERS\.DEFAULT\Software\OnTheFly\mailed=(1 for yes)

The virus will also leave the file AnnaKournikova.jpg.vbs in the c:\windows directory

How to Clean the Virus

Other than deleting the file and registry entries shown above, this virus should be deleted by running an up-to-date virus checking program, such as the ones shown at the bottom of this page. Alternatively, you can click on the link below for a free on-line virus scanner.

How to fix Code 39 error

2008-02-12T05:54:00.000-08:00

"Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)"Because of this error, the drive did not show up in My Computer and was unable to burn CDs or read any CDs.

I uninstalled the drive from Device Manager, rebooted the computer, and the problem remained, so obviously it appeared to be a registry issue that I would have to solve. If you are receiving this Code 39 error and your CD or DVD drive is missing and has a yellow exclamation mark in Device Manager, I hope this information is useful.

To solve this Code 39 error, follow these instructions:

NOTE: After removing these registry keys and rebooting, it may be necessary to reinstall any CD or DVD recording applications.

1) Close all open programs

2) Click on Start, Run, and type REGEDIT and press Enter

3) Click on the plus signs (+) next to the following folders

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Control
Class
{4D36E965-E325-11CE-BFC1-08002BE10318}
4) This folder is the DVD/CD-ROM Drive Class Description in the registry. Look for any of the following names in the right hand column.

UpperFilters
LowerFilters
UpperFilters.bak
LowerFilters.bak
5) If any of the above keys shown in step 4 are listed, right-click on them and choose Delete

6) After deleting the keys, close the Registry Editor

7) Reboot your computer

8) Open My Computer and check to see if your CD or DVD drives have returned. You may also want to open Device Manager and verify that the yellow exclamation and error code on the CD or DVD drive is gone.

Electronic Greeting Card - msdataaccess.exe

2008-02-12T05:47:00.000-08:00

Lately every time I open my email, I have an electronic greeting card message in it. It used to be fun to open one of these messages and find a funny greeting from a good friend or relative, however now each ecard generally carries a dangerous payload of viruses, spyware, malware, and more. Sort of an electronic mixed cocktail of evil programs designed to do your computer harm. Don't get me wrong, you may still receive "good" e-cards from time to time, but these mass mailed greetings in the last couple months are something you don't want to open.

The latest cards want you to click on a link and download a free copy of "Microsoft Data Access" so you can read the card. The popup message accompanying the install even says the file is from Microsoft Corporation. Don't believe this for a second, the file msdataaccess.exe is a dangerous file, please do not open it.

However, I was bored the other day...So I took a freshly formatted Windows XP laptop and installed this file. I didnt get to view the greeting card message, instead my computer became a spam sending drone connected to a network of evil.

What do these e-cards look like?

A sample of a recently received electronic greeting card is shown below.
---------------------------------------------------------------------------------------

FROM: email@someaddress.com
DATE: Thu, 16 Aug 2007 00:35:36 -0400
TO:
SUBJECT: Love ecard

Good day.
Your Sister has sent you Love ecard from marlo.com.
Click on your card's direct www address below:
http://71.88.198.238/
Copyright (c) 1991-2007 marlo.com All Rights Reserved
---------------------------------------------

Some of the subject lines used by these cards are:

Animated card
Love postcard
Thank you postcard
Birthday e-card
Animated e-card
Funny card
Holiday ecard
Musical e-card

After clicking on the URL in the body of the message, a screen appears asking you to download "Microsoft Data Access" to view the message.

You'll notice the popup asking you to install the program even mentions it's from "Microsoft Corporation".

Then the msdataccess.exe file infects the computer and causes a chain reaction of disabling security programs like antivirus and firewalls, joining a peer-to-peer botnet to receive more commands and dangerous software from a wide range IP addresses, corrupting a file called TCPIP.SYS, and changing your DNS settings on your local area network or dialup connection. Once your computer is infected, its difficult to remove.

Are Electronic Greeting Cards Dangerous?

Scanning MSDATAACCESS.EXE with a Virus Scanner

Before I installed this dangerous file, I used Jotti's Malware Scanner to check the file. Jotti's scan checks the file with a variety of scanning engines to see if its dangerous. Many times, one scanner wont report a problem while another one will. Here are the results after scanning msdataaccess.exe:

Jotti Scan Results
Scan taken on 16 Aug 2007 17:54:11 (GMT)

A-Squared Found nothing
AntiVir Found WORM/Zhelatin.Gen
ArcaVir Found Trojan.W32.Lager.Dr42
Avast Found Win32:Tibs-BEC
AVG Antivirus Found Downloader.Tibs.7.D
BitDefender Found DeepScan:Generic.Malware.FMPH@mmign.B1DE8244
ClamAV Found Trojan.Small-3376
CPsecure Found Troj.Downloader.W32.Tibs.mv
Dr.Web Found Trojan.Packed.142
F-Prot Antivirus Found Possibly a new variant of W32/Fathom.1-based!Maximus
F-Secure Anti-Virus Found Email-Worm.Win32.Zhelatin.gq
Fortinet Found nothing
Kaspersky Anti-Virus Found Email-Worm.Win32.Zhelatin.gq
NOD32 Found Win32/Nuwar.Gen
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Dorf-D
VirusBuster Found Trojan.Tibs.Gen!Pac.132
VBA32 Found nothing

After installing the file, my computer immediately starting opening connections and sending spam to a variety of addresses. I used a program called TCPView to show this flood of email.

After seeing my computer spewing spam in all directions, I immediately disconnected from my network and began the cleanup of this lovely greeting card. I rebooted the computer once before beginning the removal and was presented with a Windows Blue Screen when shutting down too.

What's the Best Way to Remove these NuWar-type infections from My Computer?

Since no files are added to startup, or as a browser hijack object (BHO), normal tools like Hijackthis and others simply don't find this problem. This particular attack using msdataaccess.exe installs the following files:

spooldr.exe is installed in the Windows directory
spooldr.sys is installed in the Windows\System32 on Windows XP
tcpip.sys in the Windows\System32\Drivers directory is infected
tmcomm.sys is installed in the Windows\System32\Drivers directory (not normally a Windows file)

The computer then proceeds to change your DNS Settings and starts sending email. It also hides the files it installed from view when running Windows so they are hard to detect.

Tools you may want to download before attempting this removal procedure.

CCleaner - Free tool for removing temporary files, cookies, history, and cleaning up registry problems
Removal Procedure for Nuwar/Zhelatin/Tibs Greeting Card Infection

Download CCleaner to your desktop and install it, so you can use it later. Then unplug your computer from your internet connection before continuing. If you are uncomfortable with any of the procedures shown below, please do not continue with this removal. Take your computer to a repair facility or have a trusted friend follow these procedures instead. In all cases, please be careful with deleting windows files, since this could cause your computer to become inoperable.

Booting into the Recovery Console

You'll need to use the Windows XP Recovery Console to help with this removal procedure. This will either require you to boot from a Windows XP Installation CD or boot directly to the Recovery Console if its installed. Follow these steps to boot into the Recovery Console from a Windows XP Installation CD.

1) Place your Windows XP in the CD-ROM Drive
2) Restart your computer and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar.

"press any key to boot from cd..."

4) Wait until you see the "Welcome to Setup" screen, and press R to start the Recovery Console
5) Choose which Windows installation you wish to load (this is usually #1 unless you have a multi-boot system)
6) Type the administrator password and Press Enter
7) You should now be at the C:\Windows> prompt

Deleting the Infected Files

From the Windows prompt type the following and press Enter after each line

del c:\windows\spooldr.exedel c:\windows\system32\spooldr.sysdel c:\windows\system32\drivers\tcpip.sys
del c:\windows\system32\drivers\tmcomm.sys (may not be found in all cases)
Type exit and press Enter to reboot into Windows.

Installing a new copy of TCPIP.SYS

When Windows restarts, follow these steps to expand a new copy of tcpip.sys to your hard drive.

Click on Start, Run
Type CMD and Press Enter
Make sure your Windows XP CD-ROM is in the drive and type the following to extract a new copy of TCPIP.SYS to the hard drive. Substitute the appropriate drive letter for your CD-ROM drive, in this case Drive D.

EXPAND D:\I386\TCPIP.SY_ C:\WINDOWS\SYSTEM32\DRIVERS\TCPIP.SYS

Type Exit to Close the Command Prompt
Turn off System Restore to Remove Saved Copies of Virus

To turn off Windows XP System Restore:

NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.

1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives" as shown in this illustration:
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click Apply at the bottom of the screen.
8. Now uncheck "Turn off System Restore" or "Turn off System Restore on all drives." to re-enable it and clear any viruses that were backed up by System Restore.
9. Click Apply, and then Click OK.
10. Double-click on CCleaner on your desktop and remove any temporary files and registry problems it finds.
11. Restart your computer
12. Re-enable your network connection

What is the Config.MSI Folder and Can I Delete it?

2008-02-12T05:44:00.000-08:00

reinstalling Quickbooks . The program would not open and when I tried to reinstall it and an error appeared about not being able to overwrite some files in the CONFIG.MSI folder.
First of all, the CONFIG.MSI folder is a hidden folder on the root drive of Windows, usually Drive C. The folder is used by the Windows Installer process during an installation of software. It saves files with the extension of .RBS and .RBF. These are Rollback Script Files used by the installer to uninstall recent changes if an install fails somewhere along the way. The rollback script file (.rbs) is always stored in the Config.msi folder on the disk where the operating system is installed. The .rbf files are stored in the Config.msi folder located on the disk where the program that is being backed up currently resides. These can be two different drives.

Can the CONFIG.MSI folder and its files be deleted safely?

Essentially the CONFIG.MSI folder contains backups of files that are being installed or updated during a program installation. Upon a successful completion, this folder and files are deleted automatically. However, sometimes the installer program fails to remove these files. In this case, you may safely delete the CONFIG.MSI folder and files from your hard drive. Follow the steps below to access and remove the CONFIG.MSI folder.

Reboot the computer and try to download Windows Updates, if they still fail to install, continue with the next step.

Show Hidden Files and Folders

Open My Computer
Click on Tools, Folder Options
Click on the View tab
Under the Hidden Files and Folders section, select "Show Hidden Files and Folders"
Click Ok
Find CONFIG.MSI folder Using My Computer

Open My Computer
Double-click on Drive C (or whatever drive Windows is installed on)
Look for the MSCONFIG.MSI folder (it should be a faded folder since its hidden)
Right-click on the MSCONFIG.MSI folder and choose Delete
Click Yes to confirm deletion of the folder and files
Close the My Computer window

How to Fix Problems When Windows Installer

2008-02-12T05:35:00.000-08:00

Microsoft Data Access Components were reinstalled and then was prompted to insert the CD or point to the location for a file called ItsDeductible10.MSI. After cancelling this popup screen several times, the selected program would eventually open and be useable. Since this was happening with multiple programs on his computer it was a rather annoying issue.

similar situation with Microsoft Office products and usually the reinstallation of a service pack would solve the problem. However, this problem wasn't related to an Office product but rather a product called Its Deductible from Intuit, the makers of Quicken, Quickbooks, and Turbotax.

Since there wasn't any CD or disk that contained this .msi file, we were left with fixing the windows registry to correct this annoying issue.

First downloaded CCleaner and ran a registry scan that helped clean up nearly 657 separate issues. However, this step didn't solve the problem with the Windows Installer popup. So download the Windows Installer Cleanup Utility and install it on the computer.

After running the Windows Installer Cleanup and removing the installation info for Turbotax and ItsDeductible reboot the computer. After returning to the Windows Desktop, trie to open the several programs that would not open correctly before. Each program open without any problems.

If you experience an issue with a program trying to install a .msi file that is missing, the issue is most likely a corrupted Windows Installer issue. Click on the following link to download the Windows Installer Cleanup Utility and fix it.

How to Speed Up Windows Boot Time

2008-02-12T05:26:00.000-08:00

One of the questions I am often asked is how to speed up the time it takes Windows to load or boot. There are a variety of factors (both hardware and software) involved in lowering the amount of time it takes for Windows to load. I will go over most of these ways in this page starting with changes in the system BIOS and moving onward from there.

All of these changes are optional, and do not need to be carried out. Instead, they are offered as suggestions to try to lower the time it takes for Windows to boot. Some of these changes are very advanced and should only be attempted if you are comfortable with making the changes and have your data backed up.

System BIOS Changes

One of the first places to help speed boot time in Windows is to make some simple changes to the system BIOS. The BIOS or Basic Input/Output System is a set of instructions and commands built into the motherboard that allows the computer to know what type of hardware is connected and how to communicate with that hardware. You'll first have to gain access to the BIOS setup screen to make any changes. Do not make changes to the system settings in the BIOS lightly, one mistake can render the computer unbootable and cause more problems than its worth. For this reason, do not attempt making changes to the system BIOS unless you are willing to accept the risk along with it. With that said, you'll want to follow the directions below and make some simple changes to speed up the boot process.

1) You must start with the computer completely off, not in sleep or hibernation mode. Then turn the computer on.

2) Enter the system BIOS screen by the manufacturers suggestion. Depending on the computer, this may involve pressing the DEL key, pressing F1, Pressing F10, holding down CTRL-ALT-S, or a variety of other keystrokes to get to the BIOS screen. For a more complete list of keystrokes to enter the BIOS screen, visit Michael Steven's page on the subject.

3) Once in the BIOS setup, look for a BOOT menu and select it with your keyboard arrow keys, Tab, and Enter.
4) In most modern BIOS screens, you'll find an option for Quick Boot. Enable this to skip memory tests and other minor Power On Self Tests (POST).

href="http://2.bp.blogspot.com/_IUcmRObi58k/R7GfKpaMf_I/AAAAAAAAAC4/WysnqyjCc1M/s1600-h/bootdevicepriority.jpg">

5) Find an option for Boot Device Priority next, and change the first boot device to be the hard drive. Changing this option will speed up the boot process, but it will also not allow the computer to boot from a floppy disk or CD-ROM. If booting from anything other than the hard drive is important to you, please skip this step. If later on, you need to boot from a CD-ROM, simply re-enter the BIOS setup and make the CD-ROM the first boot device.
<

6) Choose the option to Exit and Save Changes and the computer will reboot.

There are other options in the BIOS to speed up boot time such as choosing the exact settings for your hard drive, and disabling AUTO DETECT of hard drives and other media. However I am skipping those changes and leaving them for a later discussion.

Changes to Windows Settings
The next group of changes to consider will be to the many Windows settings. We will use a handy tool called the System Configuration Utility to accomplish most of these changes. Follow the steps below to open and use this tool.

Startup Tab Changes

1) Click on Start, Run and type MSCONFIG and press Enter

2) Click on the STARTUP tab in the System Configuration Utility to view all the items that begin on Startup. An example is shown below.

Each item on the Startup tab that is checked loads immediately after Windows starts. If there are lots of items here, this will slow down the boot time for Windows considerably. Each of these items can be toggled on or off simply by using the checkmark box to the left of the item.

The column directly to right of the checkmark is the Name of the program, while the next column over is the location on the hard drive or other device of the file. Finally the last column shows where in the computer the file is started from. This location could be in the registry as is the case with all the locations that begin with HKLM or HKCU, or it could be in the Windows Startup folder found under ALL PROGRAMS in Windows XP.

You can examine each of these startup items and uncheck any that are not necessary. How do you know which ones are not necessary? Well, in most computer configurations, you'll want drivers running for your graphics or video controller and sound card, and most likely an antivirus and firewall running. Other startup items are usually extras that could be eliminated from boot up. To discover what a particular item is used for, jot down the name for the item and go over to a site called Process Library, type in the name of the process and click Find. This is a very handy tool for discovering which startup items are truly needed.

When you are done modifying the checkmarks to the Startup tab, click OK and you'll be asked to reboot the system.

Windows Services Changes

Once the computer is rebooted, click on Start, Run and type MSCONFIG and press Enter again. This will reopen the System Configuration Utility. Click on the Services tab, then click on the option at the bottom called "Hide All Microsoft Services" to see what unnecessary Windows services are running that can be removed. Generally speaking, you want services related to your video/sound cards and antivirus or firewall programs left running. Other services may not be essential and can be removed. Remember to only remove unessential services or you risk experiencing boot problems. Use Google to search for information on unfamiliar services. Another good resource is Black Viper's Strange Services page.

Hardware Changes to Increase Boot Time

Adding more Memory (RAM)
Other than upgrading the motherboard and CPU, you can generally increase the amount of RAM in your computer to make it load programs and applications faster and provide a more enjoyable computing experience. You'll want to check your motherboard to make sure you have available slots and the maximum amount of RAM you can add to your particular motherboard.

Replacing your Hard Drive with a Faster RPM Drive

If you have a slower hard drive such as a 5400 RPM or slower, you may want to consider upgrading to a faster 7200 RPM
hard drive. The difference in RPM speed will generally be quite noticeable.

Changing to Static IPIf your computer is connected to a local area network that you control and you have a DHCP server enabled on your router, during the boot process the computer queries the network to valid IP address. You can shave seconds off your boot time by assigning a valid IP address to your computer instead of using DHCP to assign it. To setup a Static IP for your computer, follow these directions.

1) Click on Start, Run
2) Type NCPA.CPL and press Enter to open the Network Connection Control Panel
3) Right-click on the Local Area Connection and choose Properties
4) Click on Internet Protocol (TCP/IP) and click Properties
5) You should see a screen similar to the one below. Fill in your static IP, subnet, default gateway, and DNS server information and click OK. If you aren't sure of your IP ranges on your router, consult your router manual or a friend that is more knowledgeable in networking terminology. Again, this is an optional item and does not necessarily need to be accomplished. Using DHCP is fine, although you sacrifice a few seconds for an IP to be assigned to from the network.

Switching from Master/Slave to Cable SelectIn a recent article, I talk about how changing the configuration on the hard drive from Master to Cable Select reduced the boot time on this particular machine by 2 minutes.

Other Windows Performance Tips

Reduce the Number of Fonts installed

Every font that is installed in Windows has to load when Windows starts. The more fonts you have installed, the slower Windows loads. Although you can safely have around 1000 fonts loaded in Windows, I like to keep my font list closer to 300-500 or fewer if possible. There are certain fonts that are definitely required by Windows, so be careful in removing any fonts from your computer unless you know they are not needed. Fonts such as Verdana,Arial,Trebuchet, Tahoma, Tahoma, Times New Roman, MS Sans Serif, and Courier New should be left on your system. Follow the directions below to remove extra fonts from Windows XP.

1) Open My Computer
2) Double-click on Drive C
3) Click on File, New Folder and title it Fonts Backup
4) Double-click on the Windows folder to open it
5) Double-click on the Fonts folder
6) Highlight the fonts you wish to remove, click on Edit and choose COPY
7) Navigate back to the C:\Fonts Backup folder and PASTE these fonts into your backup folder
8) Return to the Fonts Folder and right-click on any fonts you previously copied to the backup folder, then choose Delete.

If you accidentally removed a font, simply reverse the procedure by copying and pasting the font back into the Windows\Fonts folder.

Disk Cleanup, Scandisk, and Defrag

Performing regular hard drive maintenance on your computer every few months will not only catch problems before they cause serious damage but also make your hard drive run at its optimal level. Follow these instructions to clean up the drive and defrag it.

1) Open My Computer
2) Right-click on the hard drive usually Drive C
3) Click on the Tools tab
4) Under Error Checking, click on Check Now. Optionally, you may want to check the boxes to "Automatically Fix File Errors" and "Scan For and Attempt Recovery for Bad Sectors"
5) Next, click on the General tab and click on Disk Cleanup. After the computer calculates the amount of files to remove, place a checkmark next to the type of files you wish to remove and click Ok. Read the descriptions for each type of file to determine if you should delete it.
6) Finally, click on the Tools tab again and under Defragmentation click Defragment Now
7) Click on the hard drive you wish to defrag, click on Analyze and then click on Defragment. This process may take some time to complete.

Virus/Spyware Scans
Finally, you'll want to complete a thorough virus and spyware scan of your system. I recommend running an online virus scan first, then a check for spyware. You can click on the following links to check your system for viruses.

Unable to Download Files Using

2008-02-12T05:22:00.000-08:00

"Internet Explorer cannot download filename from this particular webserver".

After trying to repair Internet Explorer to no avail, I discovered the problem lies in the Temporary Internet Files folder. Sometimes the index.dat file can become damaged. If this occurs, you'll have to delete the index.dat file and restart your computer. Then you'll be able to download files correctly again. Follow the steps below to delete this file.

1) Open Internet Explorer.
2) Click on Tools, Click on Internet Options
3) On the General tab under Temporary Internet Files, click on Delete Files
4) Click Ok when it asks if you want to delete the files
5) Under the History section on the General tab, click Clear History, then click Ok
6) Close Internet Explorer
7) Log off the current user and Log onto another user account such as Administrator
8) Click on Start, Run
9) Type CMD and Press Enter to open a command prompt
10) Change directories to the Temporary Internet Files directory by typing the following command, substituting the correct drive letter and the word username with the correct user in Windows XP.

cd drive:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5

Example: cd c:\Documents and Settings\Mark\Local Settings\Temporary Internet Files\Content.IE5

11) type del index.dat and press Enter
12) Type Exit and press Enter to close the command prompt
13) Restart your computer

Once the computer has been restarted, open a web page with a link to a download. Click on the link and try to download the file. It should now work.

How to Remove Individual Entries from Run Command History

2008-02-12T00:42:00.000-08:00

What is the Run Command History?

Many items in Windows use a MRU (Most Recently Used) List to keep lists of filenames, commands, etc. The Run command in the Start Menu keeps a list of the last several commands you entered. If you are like me, you use the run command quite frequently to open the Windows Registry, run a particular program like Notepad, or open a utility like the calculator. However, there are many times that I would like to delete one entry in this list but leave the others.

Utilties such as Window Washer or CCleaner have options to clear this Run MRU list each time they are activated, however I want to selectively delete items in the list and keep my most used items handy for later.

Where is the Run MRU (Most Recently Used) List?The RUNMRU list is stored in the Windows Registry in the following location:

HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ RunMRU\

It includes each command that you most recently used along with a key called MRUList that keeps the order the commands should appear in the list. See the screenshot below:

By opening the Registry Editor you can go to the registry key and right-click on the command you wish to remove and delete it. Close the Registry Editor and restart your computer and the list will be changed.

Is There a Program to Delete Individual Entries from the RUNMRU List?
Many of my customers would rather not edit the Windows registry to remove these individual entries, so I setup a VBScript that you can download and run to delete individual commands from this list. Follow these instructions to download and use this program to clear unwanted entries from the Run Command history.

1) Click on the following link and download the EditRunMRUList.vbs script to your desktop

Download EditRunMRUList.vbs
By opening the Registry Editor you can go to the registry key and right-click on the command you wish to remove and delete it. Close the Registry Editor and restart your computer and the list will be changed.

Is There a Program to Delete Individual Entries from the RUNMRU List?

Many of my customers would rather not edit the Windows registry to remove these individual entries, so I setup a VBScript that you can download and run to delete individual commands from this list. Follow these instructions to download and use this program to clear unwanted entries from the Run Command history.

1) Click on the following link and download the EditRunMRUList.vbs script to your desktop

Download EditRunMRUList.vbs

2) Double-click on the editrunmrulist.vbs file
3) The program will open and tell you how many entries are currently in the RUNMRU list, then it will ask you if you want to edit the list now, click Yes to continue.

4) The next screen will show you the first command in the list and ask you if you want to delete it. Click on Yes to Delete or No to Keep it.

The program will proceed through each command in the list allowing you to keep or delete the command.

5) After cycling through each command, the program will remind you to Restart Your Computer before the change will take effect.

6) Finally, before restarting the program will ask if you wish to visit my site PCHell.com

7) Restart your computer and then check the run command list. It should now be changed.

How to Gain Access When You

2008-02-11T01:40:00.000-08:00

How to Gain Access When You
Have Forgotten the Administrator Password in
Windows NT/2000/XP/2003 and Windows Vista

I have often ran across computers that I needed to gain access to for data recovery, but I didnt have the administrator password to access the hard drive. Since in many situations, there is just one administrator account I can't log into another administrator account and change the password so I have to rely on other methods. I could put the hard drive into another computer as a slave and gain access (sometimes) or I could try installing a second copy of the operating system in parallel and gain access but there must be a better way.

That way is to try to reset the administrator password to something you do know and allow you to access to the user profile and the data. In most cases, this is the best solution. However, you have to make sure the data is not encrypted using the Windows XP Encrypting File System (EFS) or other encryption. If the data is encrypted, you probably will not be able to gain access to those encrypted files by changing the administrator password.

Petter Nordahl-Hagen's Offline NT Password & Registry Editor

This is absolutely one of the best free tools to reset the administrator password and gain access that I have ever used. It modifies the encrypted password in the registry's SAM file allowing you access to the account in Windows NT/2000/XP/2003/Vista systems.

There is an image file to create a bootable floppy disk or bootable CD to modify the admin password and access NTFS partitions. You do not need to know the old password to set a new one. It will also offer to unlock disabled or locked user accounts (a very helpful feature). The program was just updated on April 9, 2007 to include Vista support.

Please visit the site by clicking on the link below to download a CD image or floppy image of this great program.

http://home.eunet.no/~pnordahl/ntpasswd/

LoginRecovery.com

Another option is to decrypt the password and show you the actual administrator password. A great site for doing this is loginrecovery.com. Basically, you download a small program to extract the password from the computer, then you submit the encrypted password file to their site and they will recover the lost password. Of course, you need a computer with Internet access to upload the file and find the password.

With this option, the administrator password is not changed so you wont lose access to EFS encrypted files. Visit their site by clicking below

http://www.loginrecovery.com

Although there are probably other options to recover an administrator password, I find the two option shown above to be the quickest and easiest ways to either change or discover the password and allow you access to the user profile and data stored on the hard drive.

Windows errors related to isafe.exe

2008-02-10T22:17:00.001-08:00

Windows errors related to isafe.exe ?
isafe.exe is a part of Computer Associates eTrust AntiVirus which keeps your Internet security product up to date. This program is important for the stable and secure running of your computer and should not be terminated

sapisvr.exe - sapisvr - Process Information

2008-02-10T22:10:00.000-08:00

Windows errors related to sapisvr.exe
sapisvr.exe is a process belonging to Windows XP. It provides speech recognition functionalities. This program is a non-essential process, but should not be terminated unless suspected to be causing problems

Chances are, though, the computer is really only doing what you're telling it.

Literally.

•

Sapisvr.exe is Microsoft's Speech Recognition engine. When enabled, it listens to what's coming in on the microphone and attempts to interpret what it hears as words, then enters keystrokes to "type in" those words it heard.

That's nice, in principle, but if it's always enabled it can cause exactly the odd behavior you describe. You make a noise (just about any noise can cause it to think it's heard a word), and keystrokes get entered. Or ambient noise is enough to cause it to try to recognize speech.

Normally this feature should be disabled, but apparently some PC manufacturers or others enable it by default.

"... it listens to what's coming in on the microphone, and attempts to interpret what it hears as words, and then enters keystrokes to 'type in' those words ..."To disable:

Go to Control Panel

Click on Regional and Language Options

Click on the Languages tab

Click on the Details button

Click on Speech Recognition

Click the Remove button

And if you're wondering why this could be happening if you don't have a microphone, look again. Many laptops in particular have built-in microphones, and I'm lead to believe that some other computers may as well.

MCSE questions

2008-02-07T03:17:00.000-08:00

1)You are setting up a user to print to a Network Printer without assigning this user to a print server.What is the proper way to configure this user's PC?

A)In the printers properties dialogue, specify the port to print to LPT1:
B)Set the Spool Settings to spool document first, and then print
C)Select Automatically Detect My Plug and Play Printer
D)Add a Standard TCP/IP local port
E)Enable Printer Pooling
F)Stop and restart the print spool service
Answer: D

2)You are installing an LPR port on your Windows XP Professional client to be able to print to a print device connected to a UNIX print server.Which of the following information do you need to provide?

A)IP address or host name of the UNIX print server
B)IP address or host name of the print device
C)The name of the print queue on the UNIX server
D)The name of the print queue on the print device
Answer: A, C

MCSE-Q&A

2008-02-05T00:02:00.000-08:00

Question # 1: At the command prompt, how can you map a network drive?
1. Net use \\server/share
2. Net use \\server\share
3. Net use //server/share
4. Network \\share

Answer: 2

Question # 2: What was the earliest Windows OS to support Fat 32?
1. Windows 95 OSR2
2. Windows 98
3. Windows 95
4. Windows 98 se
5. Windows NT

Answer: 1
Question # 3: Where are all the install files located on a Windows XP install CD?
1. i386
2. Windows
3. Winnt
4. Instwinfile
5. Windows_XP

Answer: 1
Question # 4: What command switch do you need with SFC.exe in order to scan your system?
1. /Scan
2. /Checknow
3. /C
4. /S
5. Scannow

Answer: 5
Question # 5: How many floppy disks does it take to install Windows XP without a bootable CD ROM drive?
1. 3
2. 2
3. 6
4. 7
5. 5
6. 4

Answer: 3

Question # 6: What does Dr. Watson do?
1. Is Holmes' partner
2. Finds driver conflicts
3. Seeks out errors in the registry
4. No such utility
5. Helps trouble shooting application errors
6. Finds viruses

Answer: 5

Question # 7: When using Windows 2000, what command can you use to hide a file called test that is on the root of C:? 1. Hide +s C:\test
2. Hide C:\test
3. Attrib +H C:\test
4. Attrib â€“H C:\test
5. Attrib C:\test /c

Answer: 3

Question # 8: What command line switch do you use to check for compatibility problems when upgrading to Windows 2000?
1. WINNT.EXE /CHECKHW 2. WINNT32.EXE /CHECKUPGRADEONLY
3. WINNT32.EXE /UPGRADEREPORT
4. WINNT32.EXE /CHECK

Answer: 2
Question # 9: What is the name for a malicious application that can spread itself over a network?
1. Trojan horse
2. Virus
3. Combination attack
4. Worm

Answer: 4
Question # 10: For what device is this line loading drivers? LH C:\WINDOWS\COMMAND\MSCDEX.EXE /D:123 1. MSCONFIG
2. COMMAND.COM
3. CD ROM drive
4. Sound card
5. Impossible to tell

Answer: 3
Question # 11: You are preparing a new hard drive to have Windows 98 installed on it, but you must partition it. What command can you use to do this?
1. FDISK.EXE
2. PARTHD
3. DELPART
4. ATTRIB
5. FROMAT.EXE

Answer: 1
Question # 12: In Windows 2000, what can a power user do that a user cannot? 1. Install the Operating System
2. Administrate all user accounts
3. Administrate user accounts that they make
4. Administrate the whole domain

Answer: 3

Question # 13: What does RDISK.EXE do? 1. It creates resource disks
2. It defragments your hard drive
3. Creates emergency repair disks
4. It reassesses hard drives and floppies
5. It is the new version of Fdisk for Windows 2000

Answer: 3

How to remove hkcmd error?

2008-02-04T22:11:00.000-08:00

How to remove hkcmd error

The free file information forum can help you find out if hkcmd.exe is a virus, trojan, spyware, adware which you can remove, or a file belonging to a Windows system or an application you can trust.

hkcmd.exe file information
The process hkcmd Module belongs to the software Intel(R) Common User Interface or hkcmd.exe by Intel Corporation (www.intel.com).

Description:
hkcmd.exe is located in the folder C:\Windows\System32 or sometimes in a subfolder of "C:\Program Files" or in a subfolder of C:\Windows\System32. Known file sizes on Windows XP are 77824 bytes (29% of all occurrence), 126976 bytes, 118784 bytes, 114688 bytes, 90112 bytes, 106496 bytes, 86016 bytes, 163840 bytes, 98304 bytes, 139264 bytes, 36364 bytes, 23564 bytes, 147456 bytes, 37585 bytes, 69632 bytes, 31650 bytes, 21504 bytes, 184320 bytes, 353750 bytes, 267744 bytes, 31730 bytes, 37886 bytes, 37631 bytes, 31849 bytes, 39477 bytes, 24076 bytes, 16897 bytes, 25600 bytes, 56320 bytes.

hkcmd.exe is not a Windows system file.
Program starts upon Windows startup (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run).
hkcmd.exe is a Microsoft signed file. The program has no visible window. Therefore the technical security rating is 28% dangerous

There are different files with the same name:

"hkcmd" can run at start up. Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via the Display Properties in Control Panel

"HotKeysCmds" can run at start up. Installed by the Intel 810 and 815 chipset graphic drivers. If you want the Ctrl+Alt+F12 or similar keypresses to access Intel's customised graphics properties, you need it, otherwise not. Can be disabled via Control Panel -> Display Properties

Important: Some malware camouflage themselves as hkcmd.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the hkcmd.exe process on your pc whether it is pest. We recommend Security Task Manager for verifying your computer's security.

Windows errors related to hkcmd.exe ?

2008-02-04T22:09:00.001-08:00

Windows errors related to hkcmd.exe ?hkcmd.exe is installed alongside Intel multimedia devices and allows configuration and diagnostic options for these devices. This program is a non-essential process, but should not be terminated unless suspected to be causing problems

what is spoolsv.exe

2008-02-04T03:52:00.001-08:00

spoolsv.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

Note: spoolsv.exe could also be a Microsoft Windows system executable which handles the printing process. This program is important for the stable and secure running of your computer and should not be terminated.

Determining whether spoolsv.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from

what is ctfmon.exe?

2008-02-04T03:46:00.000-08:00

ctfmon.exe is a process belonging to Microsoft Office Suite. It activates the Alternative User Input Text Input Processor (TIP) and the
Microsoft Office XP Language Bar. This program is a non-essential system process, but should not be terminated unless suspected to be causing problems.

Note: ctfmon.execould also be a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Determining whether ctfmon.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from

what is smss.exe?

2008-02-04T03:27:00.000-08:00

smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager Subsystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Note: smss.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Determining whether smss.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from

What is lsass.exe?

2008-02-04T00:29:00.000-08:00

1)It is a system process of the Microsoft Windows security mechanisms.
2)It specifically deals with local security and login policies. This program is important for the stable and secure running of your computer and should not be terminated.

Note: lsass.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

Note: lsass.exe is registered as a downloader. This process usually comes bundled with a virus or spyware and its main role is to do nothing other than download other viruses/spyware to your computer. This process is a security risk and should be removed from your system.

Determining whether lsass.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from

Security problem in Windows XP Help and Support

2008-02-01T01:42:00.000-08:00

In Windows XP Support and Help Center there is security problem through which hackers can do harm to our system from Internet .

How ?

From different chat rooms and various forums, in the form of Links to cracks .

When ever we click that links some directories in our system get deleted without our notice.

How can it be overcome?

Microsoft had released a patch in 2002 .

This you can download from following

http://www.firewall.cx/downloads/patches/ms-Q328940-patch.exe

What is alg.exe?

2008-01-31T03:29:00.000-08:00

1)It is a process belonging to Microsoft Windows Operating System.
2)It is a core process for Microsoft Windows Internet Connection sharing and Internet connection firewall.
3)This program is important for the stable and secure running of your computer and should not be terminated.
4)Application Layer Gateway Service (alg)
5)Application Layer Gateway service is a component of of Windows OS. It is required if you use a 3rd party firewall or Internet Connection Sharing (ICS) to connect to the internet. Do not end this program in task manager - you will lose all internet connectivity until next restart or login.

LOCATION: The alg.exe file is located in the folder C:\Windows\System32. In other cases, alg.exe is a virus, spyware, trojan or worm! Check this with Security Task Manager.

Windows errors related to svchost.exe ?

2008-01-31T01:20:00.000-08:00

1)svchost.exe is a system process belonging to the Microsoft Windows Operating System which handles processes executed from DLLs.
2)This program is important for the stable and secure running of your computer and should not be terminated.
3) svchost.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data.

4)It is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. This process is a security risk and should be removed from your system.

5)It is a process belonging to Microsoft Service Host Process. This could also be a stealth monitoring software that sits in the background and tracks all activities such as keyboard input (including websites visited, passwords etc.) This information can be sent to third parties through email or ftp uploads. If you did not intentionally install this program make sure you remove it to protect your privacy.

Determining whether svchost.exe is a virus or a legitimate Windows process depends on the directory location it executes or runs from

What is Svshost.exe?

2008-01-30T02:53:00.000-08:00

svshost.exe - svshost - Process Information
Process Name: Worm.P2P.Spybot.gen virus

Windows errors related to svshost.exe ?

svshost.exe is a process which is registered as Worm.P2P.Spybot.gen virus. This Trojan spreads on normally P2P sharing tools and, spreads locally via network shares. This process is a security risk and should be removed from your system.

when does Orkut is banned appears?

2008-01-30T00:48:00.000-08:00

When we open the site www.orkut.com

the message Orkut is banned...you fool!! appears

This is caused due to a virus Heap41a.
This is removed by using Task manager ( CTRL+ALT+DEl)

press the tab processes

if in that a process named svchost.exe is running with the user name , then remove it by doing end task

if the site is blocked :
goto www.hidemyass.com and type the url (www.orkut.com) there and it ll open.

2. Click start->run->regedit
3. press ctrl + f and type "heap32a"
4. delete all values by this name.
5. close regedit and open "My Computer"
6. in the address bar type "c:\Heap32a"
7. press ctrl + A and shift + del all the items.

Using the Syspart Method to Preinstall WindowsWhen

2008-01-29T06:54:00.001-08:00

Using the Syspart Method to Preinstall Windows
When you use the Syspart method, you stop the installation of Windows after the file-copy phase of Setup, duplicate the hard disk, and then complete Windows Setup on each destination computer built from the duplicate hard disks. For more information on the Setup process, see Stages of Windows Setup.

The Syspart method does take less time than running Winnt32.exe on every computer. However, because both the text-mode and GUI-mode phases of Setup must run on each destination computer, this legacy technique is more time-consuming than duplicating a fully installed version of Windows onto one or more destination computers, as described in Creating a Master Installation and Placing the Base Operating System on the Destination Computers.

Use two hard disks, with a primary partition on the clean, newly formatted destination hard disk. The destination hard disk does not need to be physically installed in the master computer; instead, you can access the destination hard disk through a network connection.

Important

Winnt.exe does not have the Syspart command-line option. You must use Winnt32.exe.
Run the winnt32 /sysprep command from a computer already running Windows 2000, Windows XP Home Edition, Windows XP Professional, or Windows 2002 Server. You cannot use this command-line option on Windows 95, Windows 98, Windows Millennium Edition, or 64-bit editions of Windows.
To create a hardware-independent snapshot of Windows files

Choose a computer to use as the master computer. The master computer must use Windows NT, Windows 2000, Windows XP Home Edition, Windows XP Professional, or Windows 2002 Server.
Start the master computer and connect to the preinstallation distribution folder.
Start Windows Setup, and then click Start, click Run, and then type:
Winnt32 /Unattend:Unattend.txt /s:install_source /Syspart:system_drive2 /tempdrive:system_drive2

where:

Unattend.txt
Specifies the answer file used for unattended Setup. It provides answers to some or all of the prompts the end user normally responds to during Setup. Using an answer file is optional when creating the master installation.
install_source
Specifies the location of the Windows files. You can specify multiple /s options if you want to install from multiple sources simultaneously.
system_drive2
Specifies the system partition of a second hard disk on which you preinstall Windows and applications.
Because the /syspart and /tempdrive options reference the same drive, Windows is installed on the primary partition of a that hard disk.

Important

The /syspart option for Winnt32.exe is only run from a computer already running Windows 2000, Windows XP Home Edition, Windows XP Professional, or Windows 2002 Server. You cannot use this command-line option on Windows 95, Windows 98, Windows Millennium Edition, or 64-bit editions of Windows.
If you use the /tempdrive option, make sure you have sufficient free disk space on your second drive to install both Windows and your applications.
After Setup copies files to the hard disk, shut down the computer.
Remove the hard disk from the computer, and then use disk-duplicating equipment or software to make copies of the hard disk.
Install a duplicated hard disk into a destination computer.
Start the destination computer and complete Windows Setup.
Run Sysprep, with the -nosidgen option, to prepare the computer for the end user.
For more information about Sysprep, see Using Sysprep.

You can also use the Syspart method to create a master installation to duplicate onto computers that use a different hardware abstraction layer (HAL).

To create a HAL-specific snapshot of Windows files

Create a source disk using the Syspart method to copy files.
Make enough copies of this disk to configure and use as the master installation(s) for each type of computer you preinstall in your factory.
For each type of computer, place a source disk into the hardware-specific "master computer". Turn on the computer.
Windows Setup completes automatically.

When Setup is complete, run Sysprep to prepare the computer for the end user.
Duplicate the hardware-specific hard disk and install the each duplicate in a computer identical to the master computer.

MCSE sample question

2008-01-29T06:50:00.001-08:00

The SYSPART process can be initiated on a computer running which of the following?
a. Windows 95
b. Windows 98
c. Windows NT
d. Windows 2000
e. all of the above

A) a & C

Microsoft Windows 2000 Guide to Unattended Setup

2008-01-29T06:50:00.000-08:00

Microsoft Windows 2000 Guide to Unattended Setup
Answer File Parameters for Unattended Installation of the Windows 2000 Family of Operating Systems

Unattended Setup mode is a hands-free method of installing Microsoft® Windows® 2000 that is convenient for Original Equipment Manufacturers (OEMs), Administrators in corporations, Value Added Resellers (VARs), and other users.

Note: For a complete listing of Winnt.exe and Winnt32.exe commands, see Windows 2000 Help. Or, at a command prompt, switch to the \i386 folder on the Windows 2000 product CD, and then type: winnt /? or winnt32 /?

• To start Windows 2000 Setup in unattended Setup mode from MS-DOS® or Windows 3.1/Windows for Workgroups, a user must specify:

winnt /u: /s: /t:

• To start Windows 2000 Setup in unattended Setup mode from Windows 95 or Windows 98, Windows NT®, or Windows 2000, a user must specify:

winnt32 /unattend: /s:
[/syspart:] [/tempdrive:]

where:

• is a file that contains answers to questions that should be automated during installation.

• is the location of the Windows 2000 installation files.

• /syspart copies all boot files to the target drive and marks it as active. This option is only valid for Winnt32.exe.

• /tempdrive copies all the installation files to a temporary folder on the target drive. This option implies that Windows 2000 must be installed in the specified drive and is only valid for Winnt32.exe.

If the temporary folder is full, the user is prompted to choose another directory during setup. After this is done, unattended setup continues.

Note: The /tempdrive parameter, like the /t switch for the Winnt.exe command, is useful to ensure the correct drive is chosen without user intervention when the hard disk has multiple partitions or hard disks.

• /t (Optional) copies all the installation files to a temporary directory on the target drive. This option assumes that Windows 2000 is installed in the specified drive and is only valid for Winnt.exe.

If the temporary directory is full, the user is prompted to choose another directory during setup. After this is done, unattended setup continues.

Note: Use the /t or /tempdrive switches to install Windows 2000 to a partition other than the boot partition on a computer.

A combination of /syspart and /tempdrive is useful if the target drive is used as the primary drive on another computer. The /syspart and /tempdrive parameters are optional. By using them together, you can create a custom image that can be used across non-identical computers. GUI-mode Setup then completes the installation on those computers.

Important: If you direct /syspart to a non-boot drive on your computer, remove that drive before restarting your computer. Otherwise, your computer cannot boot.

To start Windows 2000 Setup in unattended Setup mode from the Windows 2000 product CD

1.
The computer must support booting from the CD-ROM drive—El Torito No Emulation CD boot support.

2.
The answer file must be named Winnt.sif and must be placed on a floppy disk to be inserted as soon as the computer boots from the CD.

The Winnt.sif answer file may also be placed on and run from a bootable CD. For more information about creating a bootable CD, see KB article 167685, "How to Create an El Torito Bootable CD-ROM" at the Microsoft Product Support Services Web site:

http://support.microsoft.com/support/

3.
The answer file must contain a [Data] section with the required keys specified. For more information, see "[Data]," later in this document.

Note: When using the Remote Installation Service (RIS) to install Windows 2000 on a computer that has a bootable network card, specify the network card as the first bootable device and demote all others. You then provide the maximum possible number of methods for successfully deploying Windows 2000 to computers in your environment. For more information about using RIS, see "[RemoteInstall]," later in this document.

One method to simplify this process is to modify the BIOS to specify the CD-ROM as the first bootable device, the floppy drive as the second, and the hard drive as the third.

Answer File Format
In general, an answer file, such as Unattend.txt or Sysprep.inf, consists of section headers/keys, parameters, and the values for each parameter. Most of the section headers are pre-defined, but some may be user-defined. You don't need to specify all of the possible parameters in the Unattend.txt file if the installation does not require them.

The file format is as follows:

[section1]
;
; Section contains keys and the corresponding
; values for those keys/parameters.
; keys and values are separated by '=' signs
; Values that have spaces in them usually require double quotes
; "" around them
;
key = value
.
.
[section2]
key = value

Invalid parameter values generate errors or may cause incorrect behavior after setup.

Top of page
Description of Answer File Parameters
Bold
for a section or a key name. The exact name specified must be used.

for a key or a section name when specified and enclosed in brackets (< >) and italicized. The name used can be specified by the creator of the answer file.

Key values
are string type, unless otherwise mentioned. Wherever Type = Numeric is specified, the value is written as a decimal number unless expressly mentioned otherwise.

Optional
indicates that the key is optional. Unless indicated, all keys are required for the given section.

Default
indicates the default value assumed if a key is not present.

difference between microsoft windows 2003 & 2000

2008-01-29T06:34:00.001-08:00

Q. How is Microsoft Windows Server 2003 different from Microsoft Windows 2000?
A. The Microsoft Windows Server 2003 family takes the best of Microsoft Windows 2000 Server technology and makes it easier to deploy, manage, and use. For more information, see the Microsoft Windows Server 2003 Web site.

More Information( FAT, NTFS)

2008-01-29T01:36:00.001-08:00

MORE INFORMATION

FAT OVERVIEW :

FAT is by far the most simplistic of the file systems supported by Windows NT.
File allocation table (FAT), which is really a table that resides at the very "top" of the volume.

*To protect the volume, two copies of the FAT are kept in case one becomes damaged. In addition, the FAT tables and the root directory must be stored in a fixed location so that the system's boot files can be correctly located.
*A disk formatted with FAT is allocated in clusters, whose size are determined by the size of the volume. When a file is created, an entry is created in the directory and the first cluster number containing data is established. This entry in the FAT table either indicates that this is the last cluster of the file, or points to the next cluster.
*Updating the FAT table is very important as well as time consuming. If the FAT table is not regularly updated, it can lead to data loss. It is time consuming because the disk read heads must be repositioned to the drive's logical track zero each time the FAT table is updated.
* There is no organization to the FAT directory structure, and files are given the first open location on the drive. In addition, FAT supports only read-only, hidden, system, and archive file attributes.

*****************************************************************************************
ing Convention

FAT uses the traditional 8.3 file naming convention and all filenames must be created with the ASCII character set.
*The name of a file or directory can be up to eight characters long, then a period (.) separator, and up to a three character extension. The name must start with either a letter or number and can contain any characters except for the following: . " / \ [ ] : ; = ,
If any of these characters are used, unexpected results may occur. The name cannot contain any spaces. The following names are reserved: CON, AUX, COM1, COM2, COM3, COM4, LPT1, LPT2, LPT3, PRN, NUL
All characters will be converted to uppercase.
**************************************************************************************

Advantages of FAT

It is not possible to perform an undelete under Windows NT on any of the supported file systems. Undelete utilities try to directly access the hardware, which cannot be done under Windows NT. However, if the file was located on a FAT partition, and the system is restarted under MS-DOS, the file can be undeleted. The FAT file system is best for drives and/or partitions under approximately 200 MB, because FAT starts out with very little overhead. For further discussion of FAT advantages, see the following:

*******************************************************************************************
Disadvantages of FAT

*when using drives or partitions of over 200 MB the FAT file system should not be used.
*This is because as the size of the volume increases, performance with FAT will quickly decrease. It is not possible to set permissions on files that are FAT partitions.
* FAT partitions are limited in size to a maximum of 4 Gigabytes (GB) under Windows NT and 2 GB in MS-DOS. For additional information on this limitation, please see the following article in the Microsoft Knowledge Base:

•**************************************************************************************

HPFS OVERVIEW

The HPFS file system was first introduced with OS/2 1.2 to allow for greater access to the larger hard drives

* HPFS maintains the directory organization of FAT, but adds automatic sorting of the directory based on filenames. Filenames are extended to up to 254 double byte characters.
*Allows a file to be composed of "data" and special attributes to allow for increased flexibility in terms of supporting other naming conventions and security.
*The unit of allocation is changed from clusters to physical sectors (512 bytes), which reduces lost disk space. Under HPFS, directory entries hold more information than under FAT. As well as the attribute file, this includes information about the modification, creation, and access date and times. Instead of pointing to the first cluster of the file, the directory entries under HPFS point to the FNODE. The FNODE can contain the file's data, or pointers that may point to the file's data or to other structures that will eventually point to the file's data. HPFS attempts to allocate as much of a file in contiguous sectors as possible. This is done in order to increase speed when doing sequential processing of a file. HPFS organizes a drive into a series of 8 MB bands, and whenever possible a file is contained within one of these bands. Between each of these bands are 2K allocation bitmaps, which keep track of which sectors within a band have and have not been allocated. Banding increases performance because the drive head does not have to return to the logical top (typically cylinder 0) of the disk, but to the nearest band allocation bitmap to determine where a file is to be stored. Additionally, HPFS includes a couple of unique special data objects:

*******************************************************************************************************
Super Block

The Super Block is located in logical sector 16 and contains a pointer to the FNODE of the root directory. One of the biggest dangers of using HPFS is that if the Super Block is lost or corrupted due to a bad sector, so are the contents of the partition, even if the rest of the drive is fine. It would be possible to recover the data on the drive by copying everything to another drive with a good sector 16 and rebuilding the Super Block. However, this is a very complex task.

*******************************************************************************************
Spare Block
loadTOCNode(2, 'moreinformation');
The Spare Block is located in logical sector 17 and contains a table of "hot fixes" and the Spare Directory Block. Under HPFS, when a bad sector is detected, the "hot fixes" entry is used to logically point to an existing good sector in place of the bad sector. This technique for handling write errors is known as hot fixing. Hot fixing is a technique where if an error occurs because of a bad sector, the file system moves the information to a different sector and marks the original sector as bad. This is all done transparent to any applications that are performing disk I/O (that is, the application never knows that there were any problems with the hard drive). Using a file system that supports hot fixing will eliminate error messages such as the FAT "Abort, Retry, or Fail?" error message that occurs when a bad sector is encountered. Note: The version of HPFS that is included with Windows NT does not support hot fixing.

Advantages of HPFS
loadTOCNode(2, 'moreinformation');
HPFS is best for drives in the 200-400 MB range. For more discussion of the advantages of HPFS, see the following:
•

**************************************************************************************
Disadvantages of HPFS
loadTOCNode(2, 'moreinformation');
Because of the overhead involved in HPFS, it is not a very efficient choice for a volume of under approximately 200 MB. In addition, with volumes larger than about 400 MB, there will be some performance degradation. You cannot set security on HPFS under Windows NT. HPFS is only supported under Windows NT versions 3.1, 3.5, and 3.51. Windows NT 4.0 cannot access HPFS partitions. For additional disadvantages of HPFS, see the following:
•*************************************************************************************
NTFS OVERVIEW

From a user's point of view, NTFS continues to organize files into directories, which, like HPFS, are sorted. However, unlike FAT or HPFS, there are no "special" objects on the disk and there is no dependence on the underlying hardware, such as 512 byte sectors. In addition, there are no special locations on the disk, such as FAT tables or HPFS Super Blocks. The goals of NTFS are to provide:
•
Reliability, which is especially desirable for high end systems and file servers
•
A platform for added functionality
•
Support POSIX requirements
•
Removal of the limitations of the FAT and HPFS file systems

Reliability

To ensure reliability of NTFS, three major areas were addressed: recoverability, removal of fatal single sector failures, and hot fixing. NTFS is a recoverable file system because it keeps track of transactions against the file system. When a CHKDSK is performed on FAT or HPFS, the consistency of pointers within the directory, allocation, and file tables is being checked. Under NTFS, a log of transactions against these components is maintained so that CHKDSK need only roll back transactions to the last commit point in order to recover consistency within the file system. Under FAT or HPFS, if a sector that is the location of one of the file system's special objects fails, then a single sector failure will occur. NTFS avoids this in two ways: first, by not using special objects on the disk and tracking and protecting all objects that are on the disk. Secondly, under NTFS, multiple copies (the number depends on the volume size) of the Master File Table are kept. Similar to OS/2 versions of HPFS, NTFS supports hot fixing.
***********************************************************************************
Added Functionality
One of the major design goals of Windows NT at every level is to provide a platform that can be added to and built upon, and NTFS is no exception. NTFS provides a rich and flexible platform for other file systems to be able to use. In addition, NTFS fully supports the Windows NT security model and supports multiple data streams. No longer is a data file a single stream of data. Finally, under NTFS, a user can add his or her own user-defined attributes to a file.

POSIX Support

NTFS is the most POSIX.1 compliant of the supported file systems because it supports the following POSIX.1 requirements: Case Sensitive Naming: Under POSIX, README.TXT, Readme.txt, and readme.txt are all different files. Additional Time Stamp: The additional time stamp supplies the time at which the file was last accessed. Hard Links: A hard link is when two different filenames, which can be located in different directories, point to the same data.

Removing Limitations

First, NTFS has greatly increased the size of files and volumes, so that they can now be up to 2^64 bytes (16 exabytes or 18,446,744,073,709,551,616 bytes). NTFS has also returned to the FAT concept of clusters in order to avoid HPFS problem of a fixed sector size. This was done because Windows NT is a portable operating system and different disk technology is likely to be encountered at some point. Therefore, 512 bytes per sector was viewed as having a large possibility of not always being a good fit for the allocation. This was accomplished by allowing the cluster to be defined as multiples of the hardware's natural allocation size. Finally, in NTFS all filenames are Unicode based, and 8.3 filenames are kept along with long filenames.

Advantages of NTFS

NTFS is best for use on volumes of about 400 MB or more. This is because performance does not degrade under NTFS, as it does under FAT, with larger volume sizes. The recoverability designed into NTFS is such that a user should never have to run any sort of disk repair utility on an NTFS partition. For additional advantages of NTFS, see the following:

Disadvantages of NTFS

It is not recommended to use NTFS on a volume that is smaller than approximately 400 MB, because of the amount of space overhead involved in NTFS. This space overhead is in the form of NTFS system files that typically use at least 4 MB of drive space on a 100 MB partition. Currently, there is no file encryption built into NTFS. Therefore, someone can boot under MS-DOS, or another operating system, and use a low-level disk editing utility to view data stored on an NTFS volume. It is not possible to format a floppy disk with the NTFS file system; Windows NT formats all floppy disks with the FAT file system because the overhead involved in NTFS will not fit onto a floppy disk. For further discussion of NTFS disadvantages, see the following:
•
NTFS Naming Conventions

File and directory names can be up to 255 characters long, including any extensions. Names preserve case, but are not case sensitive. NTFS makes no distinction of filenames based on case. Names can contain any characters except for the following: ? " / \ < > * :

Currently, from the command line, you can only create file names of up to 253 characters.NOTE: Underlying hardware limitations may impose additional partition size limitations in any file system. Particularly, a boot partition can be only 7.8 GB in size, and there is a 2-terabyte limitation in the partition table. For more information about the supported file systems for Windows NT, please see the Windows NT Resource Kit.

File System( NTFS ,FAT)

2008-01-29T01:30:00.000-08:00

In computing, a file system (often also written as filesystem) is a method for storing and organizing computer files and the data they contain to make it easy to find and access them. File systems may use a data storage device such as a hard disk or CD-ROM and involve maintaining the physical location of the files, they might provide access to data on a file server by acting as clients for a network protocol (e.g., NFS, SMB, or 9P clients), or they may be virtual and exist only as an access method for virtual data (e.g., procfs).
More formally, a file system is a set of abstract data types that are implemented for the storage, hierarchical organization, manipulation, navigation, access, and retrieval of data. File systems share much in common with database technology, but it is debatable whether a file system can be classified as a special-purpose database (DBMS).[citation needed]
The most familiar file systems make use of an underlying data storage device that offers access to an array of fixed-size blocks, sometimes called sector, generally 512 bytes each. The file system software is responsible for organizing these sectors into files and directories, and keeping track of which sectors belong to which file and which are not being used. Most file systems address data in fixed-sized units called "clusters" or "blocks" which contain a certain number of disk sectors (usually 1-64). This is the smallest logical amount of disk space that can be allocated to hold a file.
However, file systems need not make use of a storage device at all. A file system can be used to organize and represent access to any data, whether it be stored or dynamically generated (eg, from a network connection).
Whether the file system has an underlying storage device or not, file systems typically have directories which associate file names with files, usually by connecting the file name to an index into a file allocation table of some sort, such as the FAT in an MS-DOS file system, or an inode in a Unix-like file system. Directory structures may be flat, or allow hierarchies where directories may contain subdirectories. In some file systems, file names are structured, with special syntax for filename extensions and version numbers. In others, file names are simple strings, and per-file metadata is stored elsewhere.
Other bookkeeping information is typically associated with each file within a file system. The length of the data contained in a file may be stored as the number of blocks allocated for the file or as an exact byte count. The time that the file was last modified may be stored as the file's timestamp. Some file systems also store the file creation time, the time it was last accessed, and the time that the file's meta-data was changed. (Note that many early PC operating systems did not keep track of file times.) Other information can include the file's device type (e.g., block, character, socket, subdirectory, etc.), its owner user-ID and group-ID, and its access permission settings (e.g., whether the file is read-only, executable, etc.).
The hierarchical file system was an early research interest of Dennis Ritchie of Unix fame; previous implementations were restricted to only a few levels, notably the IBM implementations, even of their early databases like IMS. After the success of Unix, Ritchie extended the file system concept to every object in his later operating system developments, such as Plan 9 and Inferno.
Traditional file systems offer facilities to create, move and delete both files and directories. They lack facilities to create additional links to a directory (hard links in Unix), rename parent links (".." in Unix-like OS), and create bidirectional links to files.
Traditional file systems also offer facilities to truncate, append to, create, move, delete and in-place modify files. They do not offer facilities to prepend to or truncate from the beginning of a file, let alone arbitrary insertion into or deletion from a file. The operations provided are highly asymmetric and lack the generality to be useful in unexpected contexts. For example, interprocess pipes in Unix have to be implemented outside of the file system because the pipes concept does not offer truncation from the beginning of files.
Secure access to basic file system operations can be based on a scheme of access control lists or capabilities. Research has shown access control lists to be difficult to secure properly, which is why research operating systems tend to use capabilities. Commercial file systems still use access control lists. see: secure computing
Arbitrary attributes can be associated on advanced file systems, such as XFS, ext2/ext3, some versions of UFS, and HFS+, using extended file attributes. This feature is implemented in the kernels of Linux, FreeBSD and Mac OS X operating systems, and allows metadata to be associated with the file at the file system level. This, for example, could be the author of a document, the character encoding of a plain-text document, or a checksum.

[edit] Types of file systems
File system types can be classified into disk file systems, network file systems and special purpose file systems.

[edit] Disk file systems
A disk file system is a file system designed for the storage of files on a data storage device, most commonly a disk drive, which might be directly or indirectly connected to the computer. Examples of disk file systems include FAT, FAT32, NTFS, HFS and HFS+, ext2, ext3, ISO 9660, ODS-5, and UDF. Some disk file systems are journaling file systems or versioning file systems.

[edit] Flash file systems
A flash file system is a file system designed for storing files on flash memory devices. These are becoming more prevalent as the number of mobile devices is increasing, and the capacity of flash memories catches up with hard drives.
While a block device layer can emulate a disk drive so that a disk file system can be used on a flash device, this is suboptimal for several reasons:
Erasing blocks: Flash memory blocks have to be explicitly erased before they can be written to. The time taken to erase blocks can be significant, thus it is beneficial to erase unused blocks while the device is idle.
Random access: Disk file systems are optimized to avoid disk seeks whenever possible, due to the high cost of seeking. Flash memory devices impose no seek latency.
Wear levelling: Flash memory devices tend to wear out when a single block is repeatedly overwritten; flash file systems are designed to spread out writes evenly.
Log-structured file systems have all the desirable properties for a flash file system. Such file systems include JFFS2 and YAFFS.

[edit] Database file systems
A new concept for file management is the concept of a database-based file system. Instead of, or in addition to, hierarchical structured management, files are identified by their characteristics, like type of file, topic, author, or similar metadata. Example: dbfs.

[edit] Transactional file systems
Each disk operation may involve changes to a number of different files and disk structures. In many cases, these changes are related, meaning that it is important that they all be executed at the same time. Take for example a bank sending another bank some money electronically. The bank's computer will "send" the transfer instruction to the other bank and also update its own records to indicate the transfer has occurred. If for some reason the computer crashes before it has had a chance to update its own records, then on reset, there will be no record of the transfer but the bank will be missing some money.
Transaction processing introduces the guarantee that at any point while it is running, a transaction can either be finished completely or reverted completely (though not necessarily both at any given point). This means that if there is a crash or power failure, after recovery, the stored state will be consistent. (Either the money will be transferred or it will not be transferred, but it won't ever go missing "in transit".)
This type of file system is designed to be fault tolerant, but may incur additional overhead to do so.
Journaling file systems are one technique used to introduce transaction-level consistency to filesystem structures.

[edit] Network file systems
Main article: Network file system
A network file system is a file system that acts as a client for a remote file access protocol, providing access to files on a server. Examples of network file systems include clients for the NFS, SMB protocols, and file-system-like clients for FTP and WebDAV.

[edit] Special purpose file systems
A special purpose file system is basically any file system that is not a disk file system or network file system. This includes systems where the files are arranged dynamically by software, intended for such purposes as communication between computer processes or temporary file space.
Special purpose file systems are most commonly used by file-centric operating systems such as Unix. Examples include the procfs (/proc) file system used by some Unix variants, which grants access to information about processes and other operating system features.
Deep space science exploration craft, like Voyager I & II used digital tape based special file systems. Most modern space exploration craft like Cassini-Huygens used Real-time operating system file systems or RTOS influenced file systems. The Mars Rovers are one such example of an RTOS file system, important in this case because they are implemented in flash memory.

[edit] File systems and operating systems
Most operating systems provide a file system, as a file system is an integral part of any modern operating system. Early microcomputer operating systems' only real task was file management — a fact reflected in their names (see DOS). Some early operating systems had a separate component for handling file systems which was called a disk operating system. On some microcomputers, the disk operating system was loaded separately from the rest of the operating system. On early operating systems, there was usually support for only one, native, unnamed file system; for example, CP/M supports only its own file system, which might be called "CP/M file system" if needed, but which didn't bear any official name at all.
Because of this, there needs to be an interface provided by the operating system software between the user and the file system. This interface can be textual (such as provided by a command line interface, such as the Unix shell, or OpenVMS DCL) or graphical (such as provided by a graphical user interface, such as file browsers). If graphical, the metaphor of the folder, containing documents, other files, and nested folders is often used (see also: directory and folder).

[edit] Flat file systems
In a flat file system, there are no subdirectories—everything is stored at the same (root) level on the media, be it a hard disk, floppy disk, etc. While simple, this system rapidly becomes inefficient as the number of files grows, and makes it difficult for users to organize data into related groups.
Like many small systems before it, the original Apple Macintosh featured a flat file system, called Macintosh File System. Its version of Mac OS was unusual in that the file management software (Macintosh Finder) created the illusion of a partially hierarchical filing system on top of MFS. This structure meant that every file on a disk had to have a unique name, even if it appeared to be in a separate folder. MFS was quickly replaced with Hierarchical File System, which supported real directories.

[edit] File systems under Unix-like operating systems

Wikibooks Guide to Unix has a page on the topic of
Filesystems and Swap
Unix-like operating systems create a virtual file system, which makes all the files on all the devices appear to exist in a single hierarchy. This means, in those systems, there is one root directory, and every file existing on the system is located under it somewhere. Furthermore, the root directory does not have to be in any physical place. It might not be on your first hard drive - it might not even be on your computer. Unix-like systems can use a network shared resource as its root directory.
Unix-like systems assign a device name to each device, but this is not how the files on that device are accessed. Instead, to gain access to files on another device, you must first inform the operating system where in the directory tree you would like those files to appear. This process is called mounting a file system. For example, to access the files on a CD-ROM, one must tell the operating system "Take the file system from this CD-ROM and make it appear under such-and-such directory". The directory given to the operating system is called the mount point - it might, for example, be /media. The /media directory exists on many Unix systems (as specified in the Filesystem Hierarchy Standard) and is intended specifically for use as a mount point for removable media such as CDs, DVDs and like floppy disks. It may be empty, or it may contain subdirectories for mounting individual devices. Generally, only the administrator (i.e. root user) may authorize the mounting of file systems.
Unix-like operating systems often include software and tools that assist in the mounting process and provide it new functionality. Some of these strategies have been coined "auto-mounting" as a reflection of their purpose.
In many situations, file systems other than the root need to be available as soon as the operating system has booted. All Unix-like systems therefore provide a facility for mounting file systems at boot time. System administrators define these file systems in the configuration file fstab, which also indicates options and mount points.
In some situations, there is no need to mount certain file systems at boot time, although their use may be desired thereafter. There are some utilities for Unix-like systems that allow the mounting of predefined file systems upon demand.
Removable media have become very common with microcomputer platforms. They allow programs and data to be transferred between machines without a physical connection. Common examples include USB flash drives, CD-ROMs and DVDs. Utilities have therefore been developed to detect the presence and availability of a medium and then mount that medium without any user intervention.
Progressive Unix-like systems have also introduced a concept called supermounting; see, for example, the Linux supermount-ng project. For example, a floppy disk that has been supermounted can be physically removed from the system. Under normal circumstances, the disk should have been synchronized and then unmounted before its removal. Provided synchronization has occurred, a different disk can be inserted into the drive. The system automatically notices that the disk has changed and updates the mount point contents to reflect the new medium. Similar functionality is found on standard Windows machines.
A similar innovation preferred by some users is the use of autofs, a system that, like supermounting, eliminates the need for manual mounting commands. The difference from supermount, other than compatibility in an apparent greater range of applications such as access to file systems on network servers, is that devices are mounted transparently when requests to their file systems are made, as would be appropriate for file systems on network servers, rather than relying on events such as the insertion of media, as would be appropriate for removable media.

[edit] File systems under Mac OS X
Mac OS X uses a file system that it inherited from classic Mac OS called HFS Plus. HFS Plus is a metadata-rich and case preserving file system. Due to the Unix roots of Mac OS X, Unix permissions were added to HFS Plus. Later versions of HFS Plus added journaling to prevent corruption of the file system structure and introduced a number of optimizations to the allocation algorithms in an attempt to defragment files automatically without requiring an external defragmenter.
Filenames can be up to 255 characters. HFS Plus uses Unicode to store filenames. On Mac OS X, the filetype can come from the type code, stored in file's metadata, or the filename.
HFS Plus has three kinds of links: Unix-style hard links, Unix-style symbolic links and aliases. Aliases are designed to maintain a link to their original file even if they are moved or renamed; they are not interpreted by the file system itself, but by the File Manager code in userland.
Mac OS X also supports the UFS file system, derived from the BSD Unix Fast File System via NeXTSTEP.

[edit] File systems under Plan 9 from Bell Labs
Plan 9 from Bell Labs was originally designed to extend some of Unix's good points, and to introduce some new ideas of its own while fixing the shortcomings of Unix.
With respect to file systems, the Unix system of treating things as files was continued, but in Plan 9, everything is treated as a file, and accessed as a file would be (i.e., no ioctl or mmap). Perhaps surprisingly, while the file interface is made universal it is also simplified considerably, for example symlinks, hard links and suid are made obsolete, and an atomic create/open operation is introduced. More importantly the set of file operations becomes well defined and subversions of this like ioctl are eliminated.
Secondly, the underlying 9P protocol was used to remove the difference between local and remote files (except for a possible difference in latency). This has the advantage that a device or devices, represented by files, on a remote computer could be used as though it were the local computer's own device(s). This means that under Plan 9, multiple file servers provide access to devices, classing them as file systems. Servers for "synthetic" file systems can also run in user space bringing many of the advantages of micro kernel systems while maintaining the simplicity of the system.
Everything on a Plan 9 system has an abstraction as a file; networking, graphics, debugging, authentication, capabilities, encryption, and other services are accessed via I-O operations on file descriptors. For example, this allows the use of the IP stack of a gateway machine without need of NAT, or provides a network-transparent window system without the need of any extra code.
Another example: a Plan-9 application receives FTP service by opening an FTP site. The ftpfs server handles the open by essentially mounting the remote FTP site as part of the local file system. With ftpfs as an intermediary, the application can now use the usual file-system operations to access the FTP site as if it were part of the local file system. A further example is the mail system which uses file servers that synthesize virtual files and directories to represent a user mailbox as /mail/fs/mbox. The wikifs provides a file system interface to a wiki.
These file systems are organized with the help of private, per-process namespaces, allowing each process to have a different view of the many file systems that provide resources in a distributed system.
The Inferno operating system shares these concepts with Plan 9.

[edit] File systems under Microsoft Windows
Windows makes use of the FAT and NTFS (New Technology File System) file systems.
The FAT (File Allocation Table) filing system, supported by all versions of Microsoft Windows, was an evolution of that used in Microsoft's earlier operating system (MS-DOS which in turn was based on 86-DOS). FAT ultimately traces its roots back to the short-lived M-DOS project and Standalone disk BASIC before it. Over the years various features have been added to it, inspired by similar features found on file systems used by operating systems such as Unix.
Older versions of the FAT file system (FAT12 and FAT16) had file name length limits, a limit on the number of entries in the root directory of the file system and had restrictions on the maximum size of FAT-formatted disks or partitions. Specifically, FAT12 and FAT16 had a limit of 8 characters for the file name, and 3 characters for the extension. This is commonly referred to as the filename limit. VFAT, which was an extension to FAT12 and FAT16 introduced in Windows NT 3.5 and subsequently included in Windows 95, allowed long file names (LFN). FAT32 also addressed many of the limits in FAT12 and FAT16, but remains limited compared to NTFS.
NTFS, introduced with the Windows NT operating system, allowed ACL-based permission control. Hard links, multiple file streams, attribute indexing, quota tracking, compression and mount-points for other file systems (called "junctions") are also supported, though not all these features are well-documented.
Unlike many other operating systems, Windows uses a drive letter abstraction at the user level to distinguish one disk or partition from another. For example, the path C:\WINDOWS represents a directory WINDOWS on the partition represented by the letter C. The C drive is most commonly used for the primary hard disk partition, on which Windows is installed and from which it boots. This "tradition" has become so firmly ingrained that bugs came about in older versions of Windows which made assumptions that the drive that the operating system was installed on was C. The tradition of using "C" for the drive letter can be traced to MS-DOS, where the letters A and B were reserved for up to two floppy disk drives; in a common configuration, A would be the 3½-inch floppy drive, and B the 5¼-inch one. Network drives may also be mapped to drive letters.

MCSE-qs-1

2008-01-29T00:52:00.000-08:00

1) You want your computer to be able to dual boot. Your computer is already loaded with Windows 98. Now you want to install Windows 2000 Professional using the same partition on your computer, on which Windows 98 is residing. Which file system you can use? [Select 2].
FAT
FAT32
NTFS
HPFS

Correct Answer: A,B.
Explanation:
You want to install Windows 2000 Professional on the same partition as that of Windows 98. Windows 98 supports FAT (FAT16) and FAT32. It doesn’t support NTFS file system. Therefore, you need to install 2000 Professional either on the FAT file systems or on the FAT32 for dual boot.