flash.10.exe

JambanMu.com Virus
This virus create a few folders and files like flash.10.exe, msconfig.com, cmd.com, jambanmu.com, ping.com, regedit.com, aweks.pikz, msn.msn and many more...
This Virus is created by using VB Basic v5 which is believed to be coded by Malaysian.

Also impairs the followings:-
Disable Task Manager
Disable Folder Option
Disable Regedit
Disable "cmd"
JambanMu.com run everytime you start your computer(at startup)

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell = Explorer.exe has been change into:- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Shell = Explorer.exe %sysdir% \ JambanMu.com

To resolve this menace:-
Download KillFlash1.0
Unrar
Double click KillFlash1.0.exe
Reboot

Read More...... View blog reactions

Bha.dll.vbs

You can’t double click the drive icon for my USB flash drive to browse the
contents. Had to right click it and hit the explore or autoplay option instead.Odd.
Browsing the flash drive,You find a Bha.dll.vbs file and an autorun.inf in the root
directory.
Googling for information on Bha.dll.vbs shows that it’s a malicious Visual Basic
(VB) script (Windows virus/malware; no surprises here). So, how to remove the damn
thing?

Flash Disinfector (a program by sUBs)is to be used to remove the computer virus.

Flash Disinfector will target the following Flash malwares(in general):

W32/Perlovga (copy.exe | host.exe)
VBS_RESULOWS.A (Hacked by Godzilla, Hacked by Moozilla)
Bha.dll.vbs
w32automa worm (Autorun.vbs)
Trojan.Win32.VB.atg | Win32/Dzan | Worm_vb.bnr (tel.xls.exe | mmc.exe)
W32/RJump.worm (RavMonE)
Worm.Win32.Delf.bf | W32.Fujacks (spoclsv.exe)
W32.Fujacks.BH (Fucker.vbs)
WORM_AGENT.PGV (soundmix.exe)
W32/Hakaglan.worm (RVHost.exe)
Trojan.Win32.VB.ayo [AVP] (Macromedia_Setup.exe)
Trojan.VBS.DeltreeY.b#1 (Destrukto!!! | destrukto.vbs)

Download Flash Disinfector by sUBs and save it to your desktop.
* Insert your USB flash drive
* Double-click Flash_Disinfector.exe to run it. Follow any prompts that may appear.
* Your desktop will vanish for a while, and then reappear. This is normal.
* Wait until the program has finished scanning, then please exit the program.
* Restart your computer and see if problem still persists.

Read More...... View blog reactions

Smart.Pix.Manager.v9.01

0 "Powerful Management, Editing and Viewing Û
Û of Images and Multimedia" Û
Û Smart Pix Manager is a powerful, but Û
Û easy-to-use solution for the management Û
Û and viewing of all common images, Û
Û documents, sound (WMA, MP3, etc) and Û
Û video files (AVI, MPEG, etc). Quickly Û
Û browse the folders of your computer, or Û
Û search your files using keywords, Û
Û descriptions and file content. Click any Û
Û file to view it immediately or display a Û
Û sequence of images, sounds and videos as Û
Û a slideshow. Û
Û Û
Û Key Features Û
Û Û
Û * View over one hundred image, video, Û
Û sound, Office, document and other formats Û
Û * Quickly categorize and search your Û
Û files by keyword, description and file Û
Û content Û
Û * Automatically generate keywords Û
Û from sound and digital photo fields and Û
Û file and folder names Û
Û * Display Image and Multimedia Û
Û Slideshows with transition effects Û
Û (including random playback of all your Û
Û MP3 music files) Û
Û * Edit your photos with our powerful Û
Û tools, including red-eye removal, Û
Û lossless rotation and cropping Û
Û * Rapidly convert, edit and rename Û
Û your pictures with automatic batch Û
Û processing Û
Û * One-click retrieval of photos from Û
Û digital cameras and scanners Û
Û * Secure your critical files using Û
Û encrypted storage and password protection Û
Û * Create auto-playing Slideshow Û
Û CD/DVD disks with full support for Û
Û background music, captions and transition Û
Û effects Û
Û * Archive images to CD or DVD with Û
Û thumbnail browsing and searching of Û
Û offline disks Û
Û * Automatically detect duplicate Û
Û files on your computer Û
Û * Search and share your files with Û
Û other users over a network Û
Û * Email photos with automatic Û
Û resizing and conversion for faster Û
Û sending Û
Û * Print images at standard photo Û
Û sizes (4x6", 5x7", etc), thumbnails or Û
Û posters (up to ten feet high) Û
Û * Create stylish image indexes for Û
Û your web site with our wizard Û
Û Û
Û Û
Û http://www.xequte.com/ Û
Û Û
Û Download

Read More...... View blog reactions

System Restore Not Functioning

If you are running Windows XP Home and after going through the System Restore process, a message stating "Cannot restore the computer to an earlier restore point, no changes have been made to your computer" pops up, try the procedure listed below to restore its functionality.

Right click [My Computer] [Properties] then click on System Restore tab.
Put a check in the box for Disable Restore on all drives.
Click apply, then Reboot your PC.
After the system reboots, navigate to the System Restore tab and turn it back on. Click apply.
Navigate to [System Tools] [Restore...] and choose [Create a Restore Point]
Provide a name for the new restore point.
Try and restore the new point just created. It should work properly.





Open a command prompt window:

1. Click Start, click Run, and then type "CMD" (without the quotation marks).
2. Press the ENTER key, and then type "Net Start" (without the quotation marks) at the command prompt to make sure that
the System Restore service is up and running.


An alternative to the usual method of enabling and disabling Windows XP's System Restore feature is to use the registry. To use this alternative, perform the following steps: Start the registry editor (regedit.exe).

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore.
If a "DisableSR" value doesn't exist, go to the Edit menu, select New, DWORD value, and create the value.
Set the value to 1 to disable System Restore or 0 to enable System Restore.

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sr to prevent the System Restore service from starting.

Double-click Start, and set the value to 4 to stop the service from starting or to 0 for normal startup. Close the registry editor.

A copy, delete, modify operation was made to a file monitored by System Restore. This typically causes System Restore to suspend across the system.

'System restore was unable to start due to a missing Framedyn.dll. Please reinstall the application to fix this problem'.
Address this issue by copying the framedyn.dll file from the \windows\system32\wbem directory to the \windows\system32 directory.

Folder Options\View

How can I see system files such as .dll or .inf in Windows?
untick Hide extensions for known file types
Hide protected operating system files(Recommended)

Tick Show hidden files & folders

Generate a system restore Cab file:

1.Click Start, then Run

2.Type or paste: %windir%\system32\restore\srdiag.exe and click OK

3.A command window will open while the Srdiag.exe runs. The command session will automatically close when complete, and the .cab file will be created in your Windows\system32\restore directory. This can take several minutes.

Look at the event logs to investigate any system restore errors
To check event logs:

1.Click Start, Control Panel, then Performance and Maintenance

2.Click Administrative Tools, Computer Management, double-click Event Viewer, then click System

3.Click the Source tab to sort by name, and then type for "sr" or "srservice." Double-click each of these services, and then evaluate the event description for the cause of the problem.

Verify that the System Restore services are running on my computer.
Use the following procedure:
To verify that System Restore services are running from Control Panel:

1.Click Start, Control Panel, then Performance and Maintenance

2.Click Administrative Tools, Computer Management, then Services and Applications.

3.Click Services, and then click System Restore Services. Ensure the service is set to Automatic and the status is Started

To verify that System Restore services are running using the command prompt:

1.Click Start, Run, then type CMD in the control box

2.Press Enter, then type Net Start at the command prompt.

Task Scheduler should be running for System Restore

How can I verify that the Task Scheduler is running on my computer?
Use the following procedure:
To verify that Task Scheduler is running from Control Panel:

1.Click Start, click Control Panel, and then click "Performance and Maintenance".

2.Click Administrative Tools, click Computer Management, and then click Services and Applications.

3.Click Services, then Task Scheduler service to ensure the Service is set to Automatic and the status is Started

To verify that Task Scheduler is running using the command prompt:

1.Click Start, Run, then type CMD in the control box

2.Press Enter, then type Net Start at the command prompt to ensure that the Task Scheduler service is running

Read More...... View blog reactions

Disk Defragmenter unavailable

When you attempt to Analyze or Defragment, Disk Defragmenter doesn't do anything. When you try Defrag.exe from a CMD.EXE window, or batch, you receive a Windows cannot connect to the Disk Defragmenter engine error message.

* When you attempt to Analyze or Defragment, Disk Defragmenter performs no actions.
* When you try running Defrag.exe from a command line or batch file, you receive a Windows cannot connect to the Disk Defragmenter engine error message.
* When you right-click a local hard disk and select Properties, the Defragment Now button isn't available on the Tools tab, or if it is available, pressing it displays the following error message: "The Disk Defragmenter is not installed on your computer. To install it, double-click the Add or Remove Programs icon in Control Panel, click the Install/Uninstall tab, and then follow the instructions on your screen."

To resolve the problem, force a reinstallation of the disk defragmenter engine:

1. Navigate to the %SystemRoot%\INF folder (Start, Run, %SystemRoot%\INF) and click OK.
2. Right-click the dfrg.inf file and press Install.

Too see dfrg.inf file
Windows Exp-lorer
Tools\Folder Options\View

untick Hide extensions for known file types
Hide protected operating system files(Recommended)

Tick Show hidden files & folders

Read More...... View blog reactions

Cooking the Costco Way

Cooking the Costco Way
Costco Cookbook
ISBN: 0972216421
270 pages
PDF

Cooking the Costco Way – This book is fantastic. Great recipes, great photos,
interesting balance of things from around the world and everything is simple
and tasteful. Great ideas.
Download
http://rapidshare.com/files/70105443/CTCW.rar
17448KB

Read More...... View blog reactions

How To Boot From CD?

Simple.So just put the bootable CD into your CD drive and then restart your computer.

If your computer does not boot from a bootable CD, you may need to set your CD-ROM drive as the first boot device.

To set your CD-ROM drive as the first boot device you need to go into the system setup (BIOS). To go into the system setup you need to restart the computer and hit a specific key (usually the Delete key) on the keyboard as soon as the screen comes up. You can refer to the right top corner or the bottom of the screen for the specified key. Below is a list of some common computers' brands with the keys needed to enter the system setup.

Acer - Ctrl+Alt+Esc or F2
Compaq - F10 or Del
Compaq Presario - Press Alt+Ctrl+Esc at boot when you see the "Compaq" log in big letters
Dell - F1 or Del.
Gateway 2000 - F2 or F1
Hewlett Packard - F1
IBM
Aptiva - Press F1
ThinkPad - F1 or Ctrl+Alt+S
Leading Edge
Fortiva 5000 - Ctrl+Alt+A or Ctrl+Alt+S
NEC - F2
Packard Bell - F1 or F2 or Ctrl+Alt+S
Sharp Laptop 9020 - F2
Sony - F3, then F2, or F1
Toshiba Laptops - Toshiba Utility, on the selected models you can hold the ESC key during boot which will then prompt you to press the F1 key to enter the BIOS.

On most systems a message will come up telling you which key to hit to enter the system setup. Below is a picture of a system starting up with a Phoenix-Award BIOS. Notice the message at the bottom of the display. On this particular system setup you would hit the Delete key while this message is being displayed to enter the setup utility.
CLICK ON PICTURES FOR ENLARGEMENT

Once you have entered the System Setup you should come to a main menu. Below is a picture of the main menu for a version of Phoenix-Award BIOS. Yours may not look exactly the same, but the basic idea is the same for all System Setup utilities.

In this particular System Setup utility, the boot device settings are under the 'Advanced BIOS Features' category. Yours may be in a different category. If your System Setup does not have an 'Avanced BIOS Features' category, try looking through the different categories until you find the boot device order settings. Below is a picture of the 'Advanced BIOS Features' category.

As you can see from the picture, the 1st boot device is set to the CD-ROM drive. If the first boot device on your system is set to something else (floppy drive for example), simply change it to the CD-ROM drive. In the picture above you can also see some basic instructions on how to change the settings. Once the CD-ROM drive is set as the first boot device, you need to save the changes and exit the System Setup utility. Usually you can just hit ESC on the keyboard to go back to the main menu and then select 'Save and Exit Setup'.
There are literally hundreds of versions of System Setup utilities and this is just one example; however the basic idea is the same for all of them. If your system setup does not look the same you may have to use a little intuition to find and change the boot device order.

Read More...... View blog reactions

USB 3.0 SuperSpeed

The ubiquitous Universal Serial Bus technology

Super-fast USB 3.0 technology may begin to supersede USB 2.0 in 2008. Drawing on technology developed by HP, Microsoft, NEC,

NXP, Texas Instruments, and Intel, a USB 3.0 Promoter Group hopes to deliver by mid-2008 a proposed spec for backwards-

compatible USB ten times faster than today's 480Mbps technology.


USB supports three data rates:

* A Low Speed (1.1, 2.0) rate of 1.5 Mbit/s (187 kB/s) that is mostly used for Human Interface Devices (HID) such as

keyboards, mice, and joysticks.
* A Full Speed (1.1, 2.0) rate of 12 Mbit/s (1.5 MB/s). Full Speed was the fastest rate before the USB 2.0 specification

and many devices fall back to Full Speed. Full Speed devices divide the USB bandwidth between them in a first-come first-

served basis and it is not uncommon to run out of bandwidth with several isochronous devices. All USB Hubs support Full

Speed.
* A Hi-Speed (2.0) rate of 480 Mbit/s (60 MB/s).

Experimental data rate:

* A Super-Speed (3.0) rate of 4.8 Gbit/s (600 MB/s). The USB 3.0 specification will be released by Intel and its partners

in mid 2008 according to early reports from CNET news. According to Intel, bus speeds will be 10 times faster than USB 2.0

due to the inclusion of a fiber optic link that works with traditional copper connectors. Products using the 3.0

specification are likely to arrive in 2009 or 2010.

The USB 3.0 Promoters Group, which includes Intel, Microsoft, HP, TI, NEC and NXP among others, are planning to release a USB

3.0 spec in the first half of 2008. It will increase transfer speeds beyond USB 2.0's 480 Mbps by using a second fiber-optic

channel in addition to the standard copper channel.



USB 3.0 connectors and cables will be "designed to enable backward compatibility as well as future-proofing for optical

capabilities," Intel said. USB 3.0 will also preserve "existing USB device class driver infrastructure and investment, look-

and-feel, and ease-of-use," according to the company.

USB 3.0 technology is expected to appear first in discreet silicon products, rather than being integrated into PC chipsets or

SoCs (system-on-chip processors), Intel said.


Current USB 2.0 devices will be able to plug into USB 3.0 ports.


The main two goals of SuperSpeed USB are to provide a 10X boost in transfer rate (from 480-Mbits/s in USB 2.0 to 4.8 Gbits/s

in USB 3.0), while dramatically lowering power consumption. One example of their speed goals is to transfer a 27GB HD movie

to a portable device in 70 seconds. The same thing would take 15 minutes or more with HighSpeed USB (2.0). The SuperSpeed

devices will use the same connectors and the same programming and device models as existing devices.


As for the other, official features of USB 3.0, there remains quite a bit of information we don't know, and it would have

been nice for Intel to have included additional information. USB has long been criticized for relatively high CPU usage. This

has inevitably become less of an issue as CPU performance has improved, but devices capable of using USB 3.0's higher

bandwidth capabilities could make CPU usage a problem again unless the issue is addressed during spec development. Issues

like cable length, available power provided, and the number of devices per channel are all unrevealed as yet, and possibly

unresolved.


Since this requires fiber optic cabling, USB 3.0 will add a length of optical data cable to the mix, though USB 3.0 will

retain full compatibility with USB 2.0 (and, one assumes, USB 1.0 as well).


USB - v1.1 vs. v1.0 / Host Controller Issue

There are several hardware setup programs that warn the user, "This device requires a USB 1.1 compliant host controller."

What is USB Specification, version 1.1?

USB specification 1.1 was written to provide further clarification and additional features for USB devices and hubs. The

new specification was written to help hardware makers build better USB product. USB specification 1.1 was written for and

only effects USB peripheral devices.

Did the specification for the host controller change from version 1.0 to 1.1?

NO. The host controller portion of the USB specification is unchanged in the 1.1 revision. As part of a complete USB

specification, specification 1.1 included the UNCHANGED 1.0 USB host controller specification. There is NO difference in the

host controller specification in version 1.1.

How did all this disinformation get started?

A flaw in an early OHCI, USB host controller may be the source. The bug affected mass storage devices, printers,

scanners, and other devices that require data integrity. The OHCI flaw has been corrected by Microsoft with a work around

in Windows98 SE, v 4.10.2222a.

So what you're saying is, a 1.1 host controller is the exact same thing as a 1.0 host controller.

Yes!

Please note: Windows98 First Release versions do not provide the work around for the OHCI/VHDL core bug.

For the vast majority of users, the USB Specification 1.0 vs. 1.1 controversy is a NON-ISSUE.


How to Check for High Speed USB (USB 2.0) Support

The Keyword is Enhanced

Open the Windows Control Panel, Click on System
The System Properties Windows Appears
Click on the Hardware Tab
Open the Device Manager
Click on the Universal Serial Bus Controllers Folder

If your Device Manager shows an ENHANCED USB Host Controller, the system has High Speed USB (USB 2.0) capability.

Types of High Speed USB (USB 2.0) Host Controllers

*

Intel Enhanced
*

SiS Enhanced
*

VIA Enhanced
*

ALi Enhanced
*

Standard Enhanced
*

NEC Enhanced

The system shown has onboard Intel High Speed USB (USB 2.0) with an NEC High Speed USB (USB 2.0) PCI card installed.

The key word is ENHANCED. If you have an ENHANCED USB Host Controller then you have High Speed USB (USB 2.0)

All other types are USB v.1.1

The difference between v.1.0 and v.1.1 is explained above.

If you see a yellow exclamation next to any of the USB entries, especially the USB2 Enhanced Controller, then there is a problem affecting the USB 2.0 driver on your system. To fix the problem, right click on the entry and select Properties. Click on the 'Troubleshoot' button and follow the prompts. In most cases this will help find a solution. The alternative is to right-click and select 'Update driver' while your computer is connected to the Internet.

DOWNLOAD
VIA USB 2.0 Driver 2.7

Applies to:
PCs with VIA USB 2.0 controller: VT6202, VT6212, VT6202 VT6212

Requirements
Windows XP SP1 or higher, Windows 2000 SP4 or higher

Author/Supplier
VIA

File Size 14.5MB File Name VIA_USB2_V270p1-L-M.zip [Click here to Download]
Description The VIA USB 2.0 driver download features the latest USB 2 drivers for PCs with the VIA USB 2.0 models: VT6202, VT6212, VT6202 VT6212. It requires at least Windows XP SP1 or Windows 2000 SP4. To install the driver, unzip its contents then double click on the Setup.exe file to run the installation program. Follow the prompts and restart your computer at the end of the installation.

Read More...... View blog reactions

Device Manager cannot be viewed

1) Try to find the "mmc.exe" file on the windows CD.
Or download here Site1 Site 2
If you can find it there then just copy and paste it to
C:/windows/system32.
Check Control Panel\Hareware\Device manager tab.

2) You can try manually loading the Device Manager by running devmgmt.msc at the command prompt (Start > Run). If that doesn't work, try mmc%windir%\system32\devmgmt.msc

3) Run box on the Start Menu and type in:sfc /scannow
This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.
IF you turned off Windows File Protection (WFP); System File Checker (sfc)won't help you.

Run box on the Start Menu and type in:gpedit.msc
Computer Configuration\System\Windows File Protection\Set Windows File Protection scanning(Double-click to select enabled)(Note: This setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.)

Can I turn off Windows File Protection...
If Windows File Protection protects system files then how exactly can they be updated with newer versions?

Well Microsoft has made the following methods Windows File Protection "aware" Meaning the newer files will replace the old system files and a copy of the new file will be stored in the dllcache folder. The security catalogues are also updated so the Windows File Protection service always knows what version of the digitally signed file is current!

Replacement of protected system files is supported using the following mechanisms:

• Windows Service Pack installation (UPDATE.EXE) e.g. XP SP2

• Hotfix distributions installed using (HOTFIX.EXE) e.g. KB825035

• Operating system upgrade (WINNT32.EXE)

• Windows Update Website

• Windows Device Installer

Can I turn off Windows File Protection...

The official answer form Microsoft is NO and this is be design. (The only exception is if you are using a kernel debugger.)

However, there is a way to do it, BUT there is no reason for you to do so!!!

On a close inspection of the system file sfc.dll it is possible to see a reference, in part of the code, that checks the value of the SFCDisable in the WinLogon key... (Something we talk about in a moment!)

This key is: 0ffffff9dh

This is NOT a documented feature from Microsoft and should NOT be used unless you REALLY are sure you need to disable the service!

(NB - It is interesting to note that the virus "W32/CodeRed.D", that caused so much mayhem by shutting down Internet Servers in the summer of 2002, used this very same undocumented setting to stop the Windows File protection service from running. The virus could then release its Trojan payload to do damage and replicate itself around the Internet!

The registry key to change is:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SFCDisable

By default, SFCDisable is set to 0, which means Windows File Protection is active.

Setting SFCDisable to 1 will disable Windows File Protection . Setting SFCDisable to 2 will disable Windows File Protection for the next system restart only (without a prompt to re-enable).

Important: You must have a kernel debugger attached to the system via null modem cable to use SFCDisable = 1 or SFCDisable = 2. More on Kernel Debugger

After Windows File Protection is disabled using the SFCDisable = 1 setting, the following message will appear after logon:

Warning! Windows File Protection is not active on this system. Would you like to enable Windows File Protection now? This will enable Windows File Protection until the next system restart. .

Clicking Yes will reactivate Windows File Protection until the next system restart. This message will appear at every successful logon until SFCDisable is set to 0.

NOTE: The above message will only be presented to Administrators.

To verify that Windows File Protection has been disabled after rebooting click on Start menu > Control Panel > Administrative Tools > Event Viewer.

An event will be logged to indicate Windows File Protection is disabled on the PC. If this event hasn’t been logged in Event Viewer then the service has NOT been disabled...

The Windows File Protection service constantly monitors for any changes to the main system files. Well Windows XP keeps a cache (copy) of these essential files at the following location:

C:WINDOWS\System32\Dllcache (assuming C: is your system root which it probably is.)

NB - The dllcache folder is extremely important so Windows XP hides it from you! To view it go to: My Computer > Tools > Folder Options > View > "uncheck" Hide protected operating system files.

If that's the case on your computer then there is normally no need for the original XP CD to be inserted as your computer has a "copy" it can get hold of in this cache...

But, if the Dllcache folder, or part of it, has become corrupted for some reason then you will be prompted for the XP CD - so your computer can get a clean copy!



Stopping annoying requests for the XP CD.
As well as having a cache of all the system files on your PC, you would like to have the I386 folder from the XP CD installed on the computer as well. After doing this you then modify the registry to tell it the source path for these files... Why? Well not only does this prevent 99% of request for the the XP CD with Windows File Protection. But the I386 folder also contains many other files that are sometimes needed by the operating system and this stops those requests for the XP CD too!

NB - With today's large hard drives you are not going to notice this 475 MB folder on your computer, but older systems may not have the space for this...

Step 1

You will need to get your XP CD and locate the folder called:

I386

This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C:\ so you should end up with a folder that looks like: C:\I386



-----------------------------

Step 2

Now you will need to tell your computer you now have the files on your PC. We do this is the registry (type regedit in the Run box on the start menu) by navigating to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup

You will see various entries here on the right hand side. The one we want is called:

SourcePath

It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All we need to do is change it to:

C:\

Simply double click the SourcePatch setting and a new box will pop up allowing you to make the change.

Now restart your computer and try scannow sfc again!


Other Problems with scannow sfc...

#1

Has the CD Drive's drive letter changed (perhaps by the addition of another hard drive, partition, or removable drive) since Windows XP was first installed? If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup\SourcePath to reflect the changed drive letter.

After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM

#2

Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup\SourcePath got an incorrect entry? The SourcePath entry does NOT include the path location till the I386 folder. It completes one folder ahead to reach the I386 folder.

Example:

If the I386 directory is at C:\I386, the SourcePath value would be C:\

#3

If the problem persists and you have the correct path for your I386 folder then the I386 folder is corrupted. To solve this problem copy I386 folder from the CD-ROM to your system restart the system and then
perform sfc /scannow again.

#4

You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder.

#5

You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath

Make sure the entry here is the same path to the I386 folder as used above.

#6

Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection

to the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key.

This will not effect scannow sfc so much, but WILL make an impact if any of the other sfc.exe "switches" have been used! (More about these at the end of this article.)

#7

When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

the values available are: 0 = disabled, 1 = enabled

------------------------------------
What about Windows Updates.....

You may be asking yourself how does sfc.exe know how to check for updated Windows system files? Well during OS upgrades, service pack installations etc.. the dllcache folder should be updated with these new files.

As an example the recent Windows XP Hotfix - KB828035 updated the system file wkssvc.dll A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$

There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles When you install a service pack, like SP1. Any new system drivers are cached in this location too.

If you have odd problems with running scannow sfc and nothing else in the article has resolved it, then take a look at the entry in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Setup
\ServicePackSourcePath

This should be pointing to the location C:\WINDOWS\ServicePackFiles (assuming C:\ is the boot drive.)

-------------------------------------------------------

For those of you who are familiar with sfc.exe under Windows 2000 professional. It is worth noting that the following two options are NOT available under Windows XP.

These are:

sfc /cancel - In Windows 2000, this command immediately cancels all pending scans of protected system files. This option has no effect in Windows XP.

sfc /quiet - In Windows 2000 this sets Windows File Protection to replace any incorrect system files detected with the appropriate version from the dll cache without any user notification. This option has no effect in Windows XP.

More info can be found about the various switches available with sfc.exe under Windows XP here.

Read More...... View blog reactions

Generic Malware Removal - SERVICES.EXE

updates 10th July 2008: Remove The file \1021\services.exe with Security Task ManagerSee here

This executable program has a file size of 65,536 bytes, it is most frequently called SERVICES.EXE and is most frequently located in the %windir%\system32\1021\ folder.
This file is considered unsafe. It was first seen on Monday, May 14 2007. It has been seen frequently by 36 users in this section of the community. The file was first seen in The UNITED STATES but has been seen in other locations, including MALAYSIA.
SERVICES.EXE has been seen to perform the following behaviors:
- Adds a Registry Key (RUN) to auto start Programs on system

start up
- This Process Creates Other Processes On Disk
- This Process tampers with Vulnerable System Files and

Settings
- Adds a Link in the Start Menu
- Accesses the MS Outlook Address Book
- Registers a Dynamic Link Library File
SERVICES.EXE has been the subject of the following

behaviors:
- Created as a process on disk
- Terminated as a Process
- Executed as a Process
- Deleted as a process from disk
- Created as a new Background Service on the machine

Method Of Removal

To view SERVICES.EXE file at C:\WINDOWS\system32\1021
Note:
Open My Computer
Tools
Folder Options
View
Click Show hidden files and folders

Untick
A) Hide extensions for known file types
B) Hide protected operating system files (Recommended)

To Remove SERVICES.EXE file at C:\WINDOWS\system32\1021
Reboot Windows and press F8 for Safe Mode
Delete folder 1021 at C:\WINDOWS\system32\1021

Or use Unlocker software

Alternatively specify to block SERVICES.EXE with your Firewall program permanently.

Read More...... View blog reactions

Use IE messages upon opening Firefox

Symptoms: You are being annoyed by the following messages






The W32/AHKHeap virus (also known as w32.USBWorm) is spread by removable drives such as USB keys. It can cause these messages to appear when starting Firefox or when visiting Orkut or YouTube:

You can get it from downloading & installing Firefox from uncertified site. (Including its addons)

Remedy: Reboot Windows & press F8 bfor safemode. Click Start follow by RUN. Type regedit in Run box and click Ok. Click EDIT to select FIND. Then type heap41a and press enter. Delete C:\Heap41a folder. Repeat FIND to DELETE until heap41a is no longer found in the registry.

N.B. W32/AHKHeap virus masquerade as folder "Microsoft Powerpoint".
At Windows Explorer interface click Tools/Folder Options/Views & select "Show hidden files and folders". Click Ok and exit. Right Click to open your USB/flash drive. Delete the folder "Microsoft Powerpoint". (Avoid double clicking in Flash Drive to be safe)

Read More...... View blog reactions

Cannot set option"show hidden files"

Cannot set the option Folder Options/View/Show Hidden Files

5 Step Process


Please follow these instructions BEFORE posting your log. This will help the cleaning process and make things easier for you. DO NOT FIX ANY ENTRIES OR DELETE ANY FILES YOURSELF. NOTE THAT IF YOU CHOOSE TO RUN ANY SPECIALISED TOOLS THAT YOU SEE BEING USED IN OTHER THREADS, WITHOUT SUPERVISION, TSF CANNOT BE HELD RESPONSIBLE FOR ANY SYSTEM DAMAGE CAUSED. You may end up with a useless system. A trained Analyst will review your log and provide detailed instructions thereafter.


It is appreciated that the level of infection may not allow you to complete all these steps. Therefore, if for some reason you cannot perform one of the steps, move on to the next step and advise the Analyst accordingly when you post the requested logs.


NOTE: We are aware that users sometimes seek help from several Forums at the same time. Unfortunately, this can cause confusion and actually wastes time and resources - yours, ours and other Volunteers across the community. If you have already posted at another Forum, please advise us, or them, and choose just one.



STEP 1


Uninstall Malware from Windows Add/Remove Program Tab

Go to Start > Control Panel > Add / Remove Programs and uninstall any of the following malware/spyware/adware programs if you find them listed.

180 Search Assistant
180Solutions
Active alert
Ad Service
AdTools
AdTools Service
Alexa toolbar
BargainBuddy
Bullseye Networks
CashBack
cosmi
DH
EasySearchBar
Elite Sidebar
Elite Toolbar
Freeze Clip Art
GAIN
Gator
Hotbar Outlook Tools
Hotbar Web Tools
HuntBar
ISTbar
ISTSvc
Media Access
Media Gateway
MySearch
MyWay Search Bar
MyWebSearch
NavExcel Search Toolbar
NavHelper
ncase
Oemji Toolbar
Open Site
Preview AdService
Search Toolbar (HuntBar/WinTools)
ShopperReports by Hotbar
Sidefind
SideSearch
Slotchbar
Software Update Manager
SurfAccuracy
Upspiral Toolbar
TurboDownload
VBouncer
Viewpoint
Viewpoint Manager
Viewpoint Media Player
WareOut
WeatherBug
Web Rebates
Web Search Toolbar (WinTools)
Webhancer
WhenU (any entry)
WeirdOnTheWeb
Windows AdService
Windows ServeAd
WinTools
WinTools Easy Installer
WSEM Update

These are Optional removals but we recommend you remove them as well.

Download Accelerator Plus
Kazaa
Kontiki
Messenger Plus
NetPumper
NewDotNet
P2P Networking
StarWare
WildTangent

*Note* If you're unsure about ANY entry then leave it alone and the Analyst will advise you in the fix later.



Search for Rogue and Suspect Programs

Please visit the following site and REMOVE/UNINSTALL any program you have that is listed on this site.

Spyware Warrior: Rogue/Suspect Anti-Spyware Products & Web Sites

This site is updated and maintained with a list of known "Rogue" and "Suspect" programs. These programs cannot be trusted as they either don't do what they say, are poorly designed, or take advantage of the user in an effort to get YOU to spend money on buying their products. Several of these programs actually install "Spyware/Adware" on your system!

STEP 2


Run an Online scan

Perform an online scan with Internet Explorer with Panda ActiveScan

1. Click on located at the bottom of the page.
2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

• If it finds any malware, it will offer you a report.
• Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
• Click on then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Add the Panda log to your first post after you’ve completed the remaining steps.

STEP 3


Installing Immediate Protection

Please download and install the following programmes – they will provide some protection against further malware attacks and will continue to protect your system after you have been cleansed.

Spyware Blaster to help prevent spyware from installing in the first place. A tutorial on installing this product can be found here.


IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. A tutorial on installing this product can be found here.


*Note* After installing IE-SPYAD, a HijackThis scan will take a bit longer to run. This is normal – please be patient.


STEP 4


Update your Operating System

This is a basic step that seems to be ignored by many users. In a high percentage of cases this is the reason the user is infected in the first place. Microsoft doesn’t issue patches and updates for fun – they are issued to fix flaws in the system and ensure that users are not left open to attack.

NOTE: we may STOP the cleansing process until this is done.

*Note* There are some infections that may prevent you from updating your Operating System. In these cases please make sure you tell the analyst on your first post. They will provide a "General" fix and will try to ensure that you can update your system as soon as possible.

Note: This step is intended for those who have no Service Packs installed. If you're not sure, you can find out by right-clicking My Computer>select Properties and look on the General Tab under "System:". If you already have Service Pack 1 or Service Pack 2, please skip this step.

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.


For Windows XP Users! Only if you have NO Service Packs installed.

Quote:

IMPORTANT!: Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system (except service pack 2) (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least SP1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online. Please apply those updates BEFORE posting your next log. It is this forum's policy to stop the disinfection process until these basic updates are done. If during the updating process you get a message that your product key is invalid ....then you may not have a legitimate copy of Windows XP. Unfortunately it’s also this forums policy that we only address users with a legal copy of Windows XP.... therefore if you can not update Windows XP to SP1 we must stop the cleansing process here. **Note** If you're having trouble locating the service pack SP1a here is a direct link to download it from.. http://download.microsoft.com/downlo...p1a_en_x86.exe Thank you for your cooperation.

STEP 5


Preparing to Post your Log


Posting Rules

1. Please do not start a new thread each time you reply. We need you to keep your logs in one thread only. It’s almost impossible to complete a fix by trying to follow more than one thread.

Please do not post your logs in any other Forum - logs should ONLY be posted in the HijackThis Forum.


2. Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the word BUMP to move it forward.

DO NOT Bump the thread unless 72 hours has passed. We work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up.

3. Please have the common courtesy to follow your thread to it’s conclusion. Most analysts will post a clean speech and give you instructions and advice on programs to use that will help you prevent this from happening again. If you fail to conclude the thread your PC will be left vulnerable to another infection. We devote our time to you so please return the favour and make sure your thread reaches its logical conclusion.

4. Try to post your replies and logs in a timely manner. This can be critical depending on the infection. Many infections today are able to transform and rename themselves, thus making detection and removal much harder.

For users running Windows 2000, XP or Vista

Preparing to get a log with Deckard's System Scanner (formerly Comboscan)

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
5. Please attach extra.txt to your post.

To attach a file to a new post, simply

1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
2. copy and paste the following into the "Upload File from your Computer" box:

   C:\Deckard\System Scanner\extra.txt
   

3. Click Upload.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

For users running Windows 95, 98 or ME

Please download HijackThis to your desktop - this program will help us determine if there are any spyware/malware on your computer.

Alternate link

Make sure you close down EVERY open window and close ALL browser windows. The only thing that should be open is the HijackThis program.

Double-click on the file you just downloaded.
Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis

Upon install, HijackThis should open for you.

Should it not open, navigate to C:\Program Files\Trend Micro\HijackThis and double click on HijackThis.exe

• If it gives you an intro screen, just choose 'Do a system scan and save a log file'.
• If not, run a scan and save the log file.
• Copy the text file (Ctrl+A then Ctrl+C) and paste it (Ctrl+V) in a new thread in the HJT Forum
• Do not fix any entries in HijackThis since they may be harmless.
• Make sure to include the System information at the top of the log as well.

Posting the Log

Important:

1. Be specific about YOUR issue.

The more information you can provide the easier it will be for us to ascertain your problem. If you receive a warning about a specific virus/trojan/worm then include the name of the infection in the thread header. For example, if your Antivirus picks up Alcra.B worm then your thread header would be something like

”Constant pop ups – Alcra.B worm”


2. Describe your issue/problem in DETAIL!

DO NOT use something like "Help Me" or "Here's My Log"...etc. This tells us nothing and is a waste of our time and yours. We cannot guess as to what may be your problem. Please provide as much detail as possible, including virus/trojan/worm names and locations if available. The more information you can give us the better we can help.

When posting the log please DO NOT:

• Attach the log. (Post it as text in the thread). Only attach the extra.txt log if you are using Deckards System Scanner.
• Wrap the log using Quote or Code tags. (DO make sure notepad word-wrap is OFF)
• Post another Program’s log (Unless we specifically ask for it)
• Cut off the header of any log (It contains important information for the Analyst)
• DO NOT Private Message the Analyst unless asked to do so.

3. Once you have posted, Subscribe to your thread by going to Thread Tools (at the top of the thread) > Subscribe. Make sure it is set to Instant Notification, then click Add Subscription.so that you are notified when you receive a reply.


This concludes the basic steps required before posting your log. Everything listed here is an effort from us to help you help yourself. The Analyst will cover many of these procedures again when reviewing your logs so please follow their instructions. And yes, you may be asked to run a tool again, even if you’ve already advised that you’ve run it previously. Once your issue is resolved the Analyst will provide links to programs and advice to help you prevent further infections in the future. Thank you for taking the time to read this.



Click here to post your log in the HijackThis Forum

Read More...... View blog reactions