Hi elnev,

Have you seen this recent thread - http://cr4.globalspec.com/thread/21250#pagetop.

Hope it may be of use to your dilema.

I have now. Thanks! Unfortunately this only serves to confirm my dilemma. This malware blew right through my Norton Symantec 360 and disabled my Microsoft firewall. I realize a reformat may be the only solution, but with 30 gigabytes of self created data a complete backup has proven to be more than a challenge. I do not have a functional CD burner. And what is perhaps most relevant, Outlook is apparently a real problem to back up. My email correspondence is my most important data asset. Most computer professionals that I ask , tell me they do not know where and how to find OUTLOOK (not Outlook Express) to back it up. Apparently its not a file but an entire database.

So far I have spent 3 days trying to work around the malware.

......3 days trying...

Ouch !

I've only just recovered from a mangled OE - I hadn't realized my ISP's mail server was down and went a tnkering. Oops. If it's any consolation, I'm also in the dark about the mechanics of OE. I think if you export messages to Microsoft Outlook, it gets stuff dumped across to your HD from the server), but don't take my word on that one. I haven't read the following yet, but it may be worth a look ; http://www.iopus.com/guides/oe-backup.htm & http://office.microsoft.com/en-us/outlook/HP030822101033.aspx

Hopefully when the weekend is over you'll find some more expert advice to hand.

It is somewhat ironic that Comspec allows advertisements that would leave you open to spam and virus attacks. Right now I have a flashing banner at the bottom of my screen saying "CONGRATULATIONS! YOU HAVE WON!! Closer examination reveals this is a gambling program and to participate you MUST allow unspecified advertising to be sent to you. Yeah sure! and leave myself open to even more potential malware infections.

Is Comspec management nuts?? Why do they allow such advertisements to run on what should be a secure website. And if Comspec is not a secure website it makes a mockery of this forum thread and all such threads. The only advertisements Compsec should allow is serious engineering products; NOT GAMBLING!!

C:\Program Files\Microsoft Office\Office

Hello ELNAV

Now that it's all over I just found an interesting article on how to prevent the infection, a couple of quick steps, if you get hit, and it may save the computer. Just thought you and some of the others might be interested in reading the article. The writer referred to this Mal ware, as extortion ware.

http://billpstudios.blogspot.com/2008/10/how-to-stop-antivirus-2009.html

Thanks Roadrunner! That last post on the site had some really good info. I cut and pasted it to a Word doc that is now hard copy - just in case. Not to disparage the advice, but if you only have one computer and you do not have ready access to an alternative, you can still get hooped.

Probably not by coincidence, the computer shop in town where I bought a new router had free copies of CD with UBUNTU Ver 8.0.4 on the counter.

Thanks to the money grab attempt by Microsoft I am now really ticked off with their products. Several people had given me older computers with various ills. A little bit of hardware tinkering, swaps-outs, etc. got me a running computer but no OS. The UBUNTU CD was just the thing I needed. If you haven't tried LINUX before, this is the one to try. UBUNTU has a desktop and comes loaded with several basic programs to get you started. That makes it easy for people with MS only experience to get familiarized. After configuring my router to access my ISP using the remainin gWindows computer I then plugged in the Linux machine. Surprise; it automatically connected and went to my server. Enter my user name and password and I had my email. Now if I do get another infection, I have an immune system to stay in touch with the world.

BTW one of the first things the malware did was disable my Outlook Email and my MS Internet Browser. All attempts to connect with the virus protection websites were blocked. Evidently the malware had a list of all the known sites and blocked al latempts to download tools to eradicate the virus. It also wiped all restore points and turned off all fire walls and defenses already installed as seveal of the posters noted. Looks like I have Ant**** 2009 and 2010 versions to look forward to.

Well back to getting more acquainted with LINUX UBUNTU MS is definitely on its way out.

regards

Hello elnav:

I haven't had a chance to get back to you on the subject of auto backup software. I don't think it will be that processor intensive or time-consuming. If you think about it a virus scan does a lot more, I wish I could say this was my own epiphany, however after receiving your PM, I did some checking with friends, and though nobody is experienced with it that was one comment.

The software for auto backup came with my new USB drive, I just haven't utilized it yet, from what I can it can do it on the fly, of course that may be undesirable in that it could also pick up Mal Ware or a virus on the fly. As soon as I get a chance I'm going to try setting up the auto backup and see how it works.

REPLY #2 over the past three days I have tried all of the mentioned solutions plus a few of my own. I figured a new hard drive with just the basic Windows XP loaded might work. It did but when I then tried to install the infected drive as a secondary slave unit, the start up process was inhibited. The idea was to start with a clean drive, then copy out all my data folders.

I tried to do a reinstall , thinking that would erase the infected files and over write them with the correct file. NOPE! After an apparently sucessful install, the darn malware was stil lthere. I tried both repair and re-install routines. The malware is clever enough to let you have some functionality remaining, thus letting you have a false sense of having circumvented it. After two tries to find and delete infected files, the program then blocked my access to Windows Explorer. Next tried to go online and find AVG or Spybot remover. Suddenly access to Internet explorer no longer works. Trying to start eithe rprogram from the Start button invokes a "run time error " message and is followed by a computer shut down and reboot. And of course this gives the program anothe rchance to infect you more. Disconnecting my internet connection results in a system freeze. The computer is no longer capable of working as a standalone unit. You must have the internet link present. This ensures the malware can always call home and do its dirty deeds.

Unfortunately the spare drive is only 3 GB from an old junked computer I had not thrown out. The drive is not large enough to install the software packages I normally work with and definitely not large enough to contain the 30 GB of data files I need access to.

If I understand correct, you have the slimmed down XP that works as master, and your messed up HD as slave. The slave is then taking control when you boot the system ?

Maybe you can hit the appropriate F key at startup to go through the selective start-up option ? Do you have an old floopy drive knocking about that you could use to create some boot discs (it would be laborious I think) ?

Hope the cavalry arrive soon, it must be hell when you are working from home in a remote area. All the best, I'll keep reading. Meantime, here is another link that may shed light.

You got that correct. Somehow the virus shows up even when the master drive is clean and the infected drive is supposedly a slave. If I have a flash reprogrammable BIOS could this have been altered somehow? i removed the 3 GB drive and checked it in the old Pentium box and it seems to be okay. Unfortunately I cannot use that old computer to access the internet. I am using a wifi link that must see my computer in order for it to work. So only the original computer is usable and the registration code is stored with the infected Windows files.

I spent half a day yesterday trying to circumvent the malware using SAFE mode. Hit F1 during the second half of boot up into Windows. Works on the clean drive but not the infected drive.

The required boot files for XP are too large for a 1.44Mb floppy.

I have a bootable CD WinXP (home edition) but that really doesn't help. In safe mode I was able to delete a lot of infected files but that only crippled the system to the point of being non functional. I had to do a REPAIR to get it working again and of course that brought about the malware again. So where is the kernel hiding that reboots the destroyed virus files?

OH! I did identify the home folder of the malware. Guess what? Files are "write protected". All attempts to change attributes failed. A delete command from SAFE MODE also failed.

Your link to a website confirmed my suspicions. Last note about fake explore.exe is how this malware propagates. my explore.exe file has been replaced by iexplore.EXE and that file is write protected. Windows explore.exe is also corrupted. Try and use it will immediately invoke a runtime eror and you end up being shut down. Naturally the reboot reinstalls the virus.

Yeah and I'm not advocating 'spyhunter' but it does elaborate on what you are dealing with.

Every year since having trouble I've renewed a Zone Alarm Internet Security Suite and I've not had any problems. My buddies poke fun about $50/year cost but I do get a call from them every so often to help out.

Yeah, I have also been paying the protection money, unfortunately I picked the wrong product. Norton by Symantec is evidently targeted as "the system to beat" and this malware blew right thru Norton and shut down my fire wall and also disrupted the built in protection that comes from microsoft Windows. I have found my firewall shut down four times now. It has to be done by th emalware. I usually go a couple of years in between encountering this level of nastyware. But every so often I do get hit.

The quick solution simply isn't available to me at this time.

Thanks for your effort.

elnav

download here and you'll get a kick out of this site anyway

Do check for and delete the asp acct the malware created for itself too!

Bwire; was the link to a website called http:\\majorgeeks\download3155\html ??

I get a blank screen with a grey bar at the bottom. the only word is at lower left hand corner saying DONE. I think the malware is blocking my attempts to reach other websites.

Yes.

How long did you wait for the page to load not that it should take long but under the circumstances it may take longer.

Hope this will help?

By Cedric Shock and Susan Sullivan

These instructions were written using Knoppix version 3.7. It can be downloaded from http://www.knopper.net/knoppix/index-en.html. This document is available online at http://www.shockfamily.net/cedric/knoppix/. There is also an older version written for Knoppix 3.2. If you need help with these instructions or have corrections or suggestions please direct your communications to cedric shockfamily.net.

Preface: Don't Panic

Windows just crashed. The computer won't boot back up. Those "System Recovery Disks" that came with your computer will erase all of your data. In most cases, when Windows breaks and will not start up again, none of your data has been lost, you just don't have a way to get to it. These instructions are a way of getting to your data when Windows won't work. If these instructions fail to recover your data, don't panic; even in cases of physically damaged drives, reformatted drives, and accidentally deleted files, professional data recovery companies such as Hard Drive Recovery Group typically have a 95 to 98% success rate. These services cost $50 to $2500 depending on the severity of damage to the drive.

You should not use Knoppix if your drives are physically damaged. If your drive was making strange sounds that you have not heard before, such as whirring, clicking or buzzing, you should get professional data recovery help and you should not use Knoppix. If your computer was damaged in a flood, a power surge, or any other kind of disaster, get the help of a professional recovery service. In these situations any further use of the drive will cause more damage, making recovery more expensive or impossible.

If you have accidentally deleted files or reformatted a drive it is imperative that you do not write anything to the drive; save your current work (on a different drive if possible) and turn off the computer. This means don't download or install any data recovery software onto the affected drive (at all if you have only one drive). You should only use recovery software that does not write to the drive. You can use Knoppix to get to and back up your other files, but do not remount the drive so that it's writable. You can find more about what to do when you lose data. Get professional help with damaged drives and deleted files and please, don't panic.

I can not provide complete step by step instructions for all of the methods covered because they depend on your computer's setup, so in places you may need to know a little about your own computer. For this reason, it might be helpful to find the manuals, documentation, and disks that came with your computer and any documentation provided by your internet service provider or information about your network. These are certainly not required, but may be helpful.

Part 1: Starting Knoppix

Put the Knoppix CD in the CD drive of the computer you need to get data out of. If you have a zip drive or other removable disk drive, put a disk in the drive. If you have a USB keychain drive or USB hard drive connect it to the computer. Turn the computer on. Some computers will start the CD automatically, while others will act like it isn't there. If the CD boots just by putting it in your computer and turning the computer on, great. You can skip the next paragraph.

If Knoppix does not start when the computer is turned on, first try restarting the computer. If that does not work, try pressing Del, ESC, F1, or F2. One of these keys should bring up either a menu from which you can select to boot from a CD, or the BIOS configuration. In the latter case, you will need to find the "Boot Order" in the bios configuration and make the CD drive first. The documentation that came with your computer should be helpful in finding this setting. After making this change and saving, restart the computer.

You will see a screen that says:

Press keys F2 or F3 for help and boot options

KNOPPIX V3.7 ...

boot:

Press Enter.

Knoppix will spend a little while detecting all of your hardware and starting up. This will take about 5 minutes. It certainly shouldn't take longer than 15 minutes. If it takes a long time and is making no visible progress, you may want to start over.

Part 2: Finding Your Data (Relaxing)

Once Knoppix starts you will be presented with a web browser window. There is a button with an X in the upper right hand corner of this window. Click on it; the window will close. Your screen should now look something like this:

There will be a series of icons down the left side of the screen. The ones labeled "Hard Disk Partition" are the hard drives in your computer. If you can, find one labeled "Hard Disk Partition [hda1]" or "[sda1]". If you can't, just pick the top one. This is probably the drive that is called "C:" in windows. Click on this icon. This will bring up a window that looks similar to the Windows Explorer File Manager. This window will have a directory tree view on the left, and an icon view on the right. If the drive you found is your C drive, the icon view on the right will have some icons called things like "Program Files", "winnt", "windows", "My Documents", "recycled", "Documents and Settings", etc. If you are disappointed by what is on this drive, or you get an error message, close the window and try another one.

Once you have figured out which drive is which, or at least which one is your "C:" drive or other drive that you want to get data off of, go onto the next section, which is about rescuing your data.

Tips on Finding Files

The "My Documents" folder is typically found in one of the following places:
Windows 2000, XP: Documents and Settings/your username/My Documents/
Windows 2000: Documents and Settings/Administrator/My Documents/
Windows XP: Documents and Settings/Owner/My Documents/
Windows NT: winnt/Profiles/your username/My Documents/
Windows NT: winnt/Profiles/Administrator/My Documents/
Windows 95, 98, ME: My Documents/

The Desktop is typically found in one of the following places:
Windows 2000, XP: Documents and Settings/your username/Desktop/
Windows 2000: Documents and Settings/Administrator/Desktop/
Windows XP: Documents and Settings/Owner/Desktop/
Windows NT: winnt/Profiles/your username/Desktop/
Windows NT: winnt/Profiles/Administrator/Desktop/
Windows 95, 98, ME: windows/Desktop/

Part 3: Rescuing Your Data

There are a number of options in this section which you can use to rescue your data.

1. Floppy Disk: This requires that you have a floppy disk drive and that the files you are trying to save are small.
2. Zip Disk or Other Removable Disk: This requires that you have a zip drive or other removable disk drive.
3. USB Keychain Drive or USB Hard Drive: This requires a USB drive connected to the computer.
4. CDROM: Burning files to a CD requires that you have two CD drives. You must have the CD drive that Knoppix was booted from and another CD drive that can write CDs.
5. E-mail: You need a working internet connection through a local area network.
6. Windows Networking: You need a working connection to a local area network, and another computer on the network with a shared folder that you can copy files to.
7. Another Hard Drive or Partition: You need another hard drive installed, or another hard drive partition onto which to rescue your data.

3.1: Floppy Disk

Floppy disks are prone to failure. Do not use them for anything other than transferring files between computers. Never keep data on a floppy disk that isn't saved elsewhere.

To recover data onto a floppy disk you need to have a floppy disk drive and a blank, formatted floppy disk. Put the disk in the drive.

Click on the "Floppy disk" icon on the desktop. This will open another file-manager type window for the floppy disk.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window for the floppy disk. Right click in the big area on the right and select paste.

3.2: Zip Disk or Other Removable Disk

You need a Zip Drive or some other removable disk drive and a disk to use this method of data recovery. Put the disk in the drive.

On the desktop there will be an icon labeled something like "Hard Disk Partition [hdc4]", "[hdd4]", "[sdc4]", or "[sdd4]" that corresponds to your Zip Drive. Click on it. It should open a window in which you can see the contents of the removable disk.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window opened for the removable disk. Right click in the big area on the right and select paste.

If you can not write to the removable disk:

You might get a message that is like "Could not write to /mnt/hdc4". In this case you will need to change the properties for the removable drive.

Close the window for the removable disk. Right click on the removable drive on the desktop. This will bring up a little menu. Select "Unmount", which is about the 5th item from the bottom of the list.

Right click on the removable drive on the desktop. This will bring up the little menu again. Select the last item in the menu, "Properties". This will open a window with four tabs. Select the third tab, "Device". There is a checkbox labeled "Read only". Make sure it is unchecked, and click on Ok. See Appendix C for a picture.

Click on the removable drive icon. This will open the explorer type window again. This time you should be able to write to the disk.

If you can not remove the disk

Close the window for the removable disk. Right click on the removable drive on the desktop. This will bring up a little menu. Select "Unmount", which is about the 5th item from the bottom of the list. Try ejecting the disk again.

Further problems

If your removable disk drive just won't work, try restarting Knoppix with a disk in the drive. Some disk drives have issues with being empty on bootup.

3.3: USB Keychain Drive or USB Hard Drive

The drive needs to already be connected when the computer is turned on.

Click on the at the bottom of the screen. This will make a window that looks like this:

Click on the on the left side of the screen. It should change to look like this, showing a list of devices in the left panel. The USB drive will have a name starting with either "sd" or "ub":

Click on one of these drives and the right panel should display the contents of the USB drive. Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window opened for the USB drive. Right click in the big area on the right and select paste.

3.4: CDROM

Burning files to a CD requires that you have two CD drives. You must have the CD drive that Knoppix was booted from and another CD drive that can write CDs.

This requires one challenging step before we can begin. Click on the in the lower left hand corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu and select "Root Shell". This will open a window with a light blue prompt that reads something like

Type "passwd" and press enter. Enter a new password twice. Close this window.

Click on the in the lower left hand corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "Multimedia" submenu and select " K3b".

You will need to set up the CD burning software before you can use it. In the K3b "Settings" menu select "K3b Setup", the last entry. You will be asked to enter the password you entered earlier. Press Ok. I can't see the bottom of this setup wizard on my screen. Press Enter or "Next" 4 times. In step 5, press the "Add User..." button. Type "knoppix" and press "Ok". Press Enter or "Next". Getting past the last screen can be hard if your screen isn't big enough. We need to push the "Finish" button. I succeeded by moving my mouse over the border of the window so that the resize cursor was visible. Then I right clicked and a menu came up. I selected "Move" and moved the window so that the bottom portion of it was visible, then pressed "Finish"

You should be able to use the CD-Writer now.

3.5: E-mail

To rescue data using e-mail you will need a working email account and an internet connection. If you are on a local area network, your internet connection should already be working. If your internet access is through a dial-up service, see Appendix A, Dial-up Networking. If your internet access is through a local area network that was not automatically configured properly, see Appendix B, Local Area Network Configuration.

Web based e-mail access is the easiest way to get email working. Open a Web Browser. You have two choices, Konqueror, and Mozilla. You can get a free e-mail account to send things through at http://mail.yahoo.com/.

It is also possible to set up Mozilla as an e-mail client if you prefer this harder route or if you have files too large to send through web based e-mail.

3.6: Windows Networking

To rescue data using Windows Networking, you need a connection to a local area network, and another computer running on the network with a shared folder you can write to. If your local area network was not automatically configured properly, see Appendix B, Local Area Network Configuration.

You will need to know the following information about the other computer:
Workgroup:
Username:
Password:
Computer Name:
Shared Folder:

If the computer is running windows 95, 98, or ME and does not require a password for the shared folder, the username is "guest" and there is no password; it should be left blank.

At this point there are three options for connecting to the computer. The first option is easiest, but doesn't always work; try it first. The second option is a little harder, but is rock solid. The third option is presented only for those who desire it.

Option 1: Konqueror

Click on the at the bottom of the screen. This will make a window that looks like this:

Fill in the location bar, substituting the information garnered above for the bold text like this, and press enter:

For example, if the computer's name is susan and the shared folder is called shared it would look like this:

Do NOT put an extra slash at the end of the folder. For example smb://susan/shared/ would not work.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window we just opened for the shared folder. Right click in the big area on the right and select paste.

Option 2: The Command Line

Click on the in the lower left hand corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu and select "Root Shell". This will open a window with a light blue prompt that reads something like

Type "cd /mnt/" and press enter. The prompt should now read

Type "mkdir /mnt/shared" and press enter. This makes a directory (folder) on this computer that will represent the shared folder on the other computer.
Type, substituting the information garnered above for the parts in magenta:

and press enter. This attaches, or "mounts", the other computer's shared folder to the folder we created.
Close this window.

Open a new Konqueror window by clicking on the at the bottom of the screen (it is the 5th from the left). In the address bar, after where it reads X> Location: type "file:/mnt/shared/" and press enter. This window is now displaying the shared directory on the other computer.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window we just opened for the shared folder. Right click in the big area on the right and select paste.

Option 3: LinNeighborhood

Click on the in the lower left hand corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "Internet" submenu then "More Applications" and select "LinNeighborhood

In LinNeighborhood find the "Options" menu and select "Browse entire network..."

Entire Network Browse If your network requires authentication just to see the list of shared folders, select "Browse as user" and enter your network username and password. Click "Ok".

LinNeighborhood should now show a list of workgroups and the computers in them like this:

Find the computer you will be copying files to and double click on it. The list should now show the shared folders on that computer. Select the shared folder to which you will be copying data. Click on the "Mount" button in the upper left corner of the window.

Mount Dialog You will be presented with a window that looks like this:

Enter your username in the box labeled "SMB User:" and your password in the box labeled "SMB Password:". Click "Mount".

Now we need to open the directory that represents the shared folder on the other computer. Click on the at the bottom of the screen. This will open a file manager type window. There should be a folder called "mnt" in the icon view on the right; open it. In this folder, there should be one folder with the name of the computer you connected to; open it. In this folder, there should be one folder with the name of the shared folder you connected to; open it. This directory now represents the shared folder on the other computer.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window we just opened for the shared folder. Right click in the big area on the right and select paste.

3.7: Another Hard Drive or Partition

To recover data onto a hard disk, you will need to have either another hard drive or hard drive partition. The hard drive will need to be installed before starting Knoppix. NTFS (Windows 2000 or XP) formatted drives or partitions will not work without use of the Captive NTFS tool, documented in Appendix G.

If you are copying data to another partition on the same drive, beware. Reinstalling Windows or using "System Recovery Disks" will probably DELETE your rescued files.

You will need to make the drive or partition writable to be able to copy files to it. Right click on the drive or partition on the desktop. This will bring up a little menu. Select the last item in the menu, "Properties". This will open a window with four tabs. Select the third tab, "Device". There is a checkbox labeled "Read only". Make sure it is unchecked, and click on Ok. See Appendix C for a picture.

Right click on the drive or partition icon again. If there is an item in the menu called "Unmount" select it.

Click on the icon on the desktop for the drive or partition. This will open the explorer type window again.

Go back to the window where you found your data you wish to recover. Select the files. Right click on them and select copy. Go back to the window we just opened for the drive or partition. Right click in the big area on the right and select paste.

Part 4: Knoppix as a Temporary Computer

Knoppix can be used as a temporary operating system. It has support for a wide variety of printers and other hardware. Knoppix has programs for creating and editing documents, spreadsheets, presentations, charts and drawings including those in Microsoft Office formats. It also has powerful image editing software, web browsers, e-mail clients, games, a music player, a planetarium, flowcharting and diagramming, a calculator, a persistent clipboard, and many other programs.

To use Knoppix in place of a broken windows installation, there a few things that you will find convenient. You may wish to be able to write to your hard drive (Appendix C). If you configure a printer (Appendix D) or set up a dial-up internet connection (Appendix A), you may wish to save the configuration (Appendix E). If you start using OpenOffice or a Web Browser, email client, or other program that has personal settings or configuration, you will want to create a persistent home directory (Appendix F).

OpenOffice, a free replacement for Microsoft Office, can be opened using the button at the bottom of the screen.

You can get on the internet using Konqueror or Mozilla. Mozilla and "Kmail" are e-mail clients. Konqueror makes a good ftp client; type "ftp://ftp.yourhost.com/" in the address bar. There are more internet programs, such as the AOL IM client "Gaim", in the "K" menu in the submenu "Internet".

In the menu, try the addictive game "Frozen-Bubble" under "Games", the planetarium "KStars" in "Edutainment", the other "Office" programs, and the "Utilities" "KCalc" and "Klipper". "Klipper" is great if you do a lot of copying and pasting.

"The Gimp" image manipulation program is found in "Multimedia" "Graphics". You can play MP3s and other audio files using "XMMS" found in "Multimedia".

Appendix

A: Dial-up Networking

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "Internet" submenu. Select "KPPP (Internet Dial-up tool)".

This will open KPPP, a dial-up internet tool.

KPPP Click on "Setup ..."

KPPP Configuration Under the "Accounts" tab click on "New..."

Create New Account Click on "Dialog Setup"

New Account Enter a "Connection Name", it can be anything. Click on the "Add..." button.

Add Phone Number Enter the phone number for your internet provider; click "Ok".

New Account Click ok.

KPPP Configuration Click on the "Device" tab. Select "Modem Device:" according to the following list:

Click on "Ok".

KPPP Enter your "Login ID" (username) and "Password" and click "Connect".

B: Local Area Network Configuration

This section covers local area networking configuration when the network is not started automatically. This is mostly for networks with static IP address assignment, typically old networks of Windows 95, 98, NT, and ME computers.

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu. Enter the "Network/Internet" submenu. Select "Network card configuration".

This will open a series of dialog boxes that will request information about the network. There may be a screen asking which network card to configure; if so select one. The next screen will ask if the network settings should be configured through DHCP; click no unless your network has automatic configuration and it failed to work the first time for a reason such as a disconnected cable. After you click no, it will ask you for an IP address. This and the subsequent settings rely on your network configuration, so I can't tell you what to do here.

C: Making a drive writable

You can not make an NTFS formatted drive (sometimes used for Windows NT, 2000, XP) writable without use of the Captive NTFS tool, documented in Appendix G.

Close all windows and programs using files from the drive or showing directory listings of the drive.

Right click on the drive icon on the desktop and select "Properties". This will open a little window. Select the "Device" tab. There is a checkbox labeled "Read only". Make sure it is unchecked, and click on Ok.

D: Printer Configuration

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu. Enter the "Configure" submenu. Select "Configure printer(s)".

This will open a window called "Printing Manager". Near the top left corner of the window there is a button labeled "Add" with a little black arrow pointing down on it. Click on it. This brings up a small menu; select "Add Printer/Class".

Introduction Click "Next>".

Backend Selection Select "Local printer (parallel, serial, USB)". Click "Next>".

Local Port Selection This screen will show a list of all the ports on your computer, and any automatically detected printers. If the printer was detected automatically, select it and click "Next>". If it wasn't, select the port it is connected to and click "Next>".

Printer Model Selection Select your printer's manufacturer from the list on the left. Then select the model from the list on the right. Click "Next>".

Driver Selection Select a driver for your printer. I prefer the ones that say "CUPS" or "gimp-print". Click "Next>".

Printer Test If you wish, you can test your printer at this point. Click "Next>".

Banner Selection Click "Next>".

Printer Quota Settings Click "Next>".

User Access Settings Click "Next>".

General Information Enter a name for the printer. It can be anything. Click "Next>".

Confirmation Click "Finish".

Close the "Printing Manager" window. Your printer is now set up. If you want to save your configuration, see Appendix E.

E: Saving Configuration

Saving configuration requires a floppy disk, removable disk, USB drive, or a non-NTFS formatted drive.

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu. Enter the "Configure" submenu. Select "Save KNOPPIX configuration".

This will bring up a little window asking what to save. Click "OK".

The next window will ask where to save the configuration. I suggest the floppy drive or a USB drive. Click "Ok".

To load the configuration the next time you run Knoppix. If you are using a floppy disk, put it in the drive once the "boot:" prompt appears. Instead of pressing enter, type "knoppix myconfig=scan" and press enter.

F: Persistent Home

Making a persistent home directory requires a non-NTFS formatted drive.

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu. Enter the "Configure" submenu. Select "Create a persistent KNOPPIX home directory".

This will bring up a window with a lot of text. Click "OK".

The next window will ask where to store the home directory. Select a drive and click "Ok".

Click "No". Do NOT use the entire partition.

The next screen asks for a size in megabytes for the persistent home directory. 30 is good. Click "Ok".

Click "No". We don't need encryption.

The next time you run Knoppix, instead of pressing enter enter at the boot: prompt, type "knoppix home=scan" and press enter. If you want to use both a persistent home directory and a saved configuration, type "knoppix home=scan myconfig=scan" and press enter.

G: Captive NTFS tool

This tool allows writable access to an NTFS formatted partition.

Click on the in the lower left corner of the screen. This will bring up a menu like the Windows Start Menu. Enter the "KNOPPIX" submenu. Enter the "Utilities" submenu. Select "Captive NTFS".

Follow the instructions on the screen. Once ntfs.sys and ntoskernel.sys are found you may click Ok to finish the program.

Contact Information

Cedric Shock
cedric shockfamily.net

888 E 18th Ave. Apt
Eugene, OR 97401
(541) 343-6640

Last updated Wednesday January 24, 2007.
View page source.

For future prevention and helpful stuff.

Look to MS technet / Sysinternals Security Utilities

Stealth analysis www.grc.com/x/ne.dll?bh0bkyd2

At the end of this article are the instructions for ZLOB manual removal the quick fix as you called it.:

RootkitRevealer v1.71

By Bryce Cogswell and Mark Russinovich

Published: November 1, 2006

Introduction

RootkitRevealer is an advanced rootkit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects many persistent rootkits including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.

Top of page

What is a Rootkit?

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

Top of page

How RootkitRevealer Works

Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures.

Can a Rootkit hide from RootkitRevealer
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

Is there a sure-fire way to know of a rootkit's presence
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that

Top of page

Using RootkitRevealer

RootkitRevealer requires that the account from which its run has assigned to it the Backup files and directories, Load drivers and Perform volume maintenance tasks (on Windows XP and higher) privileges. The Administrators group is assigned these privileges by default. In order to minimize false positives run RootkitRevealer on an idle system.

For best results exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process.

If you have questions or problems please visit the Sysinternals RootkitRevealer Forum.

Manual Remove

Remove Zlob manually

Another method to remove Zlob is to manually delete Zlob files in your system. Detect and remove the following Zlob files:

Processes

• nvctrl.exe
• msmsgs.exe

DLLs

• dtjby.dll
• antzozc.dll
• uimcu.dll

Other Files

• hp[X].tmp
• msvol.tlb
• ncompat.tlb
• RSA
• Protect
• vnp7s.net
• zxserv0.com
• dumpserv.com

Registry Keys

• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunRegSvr32=%System%msmsgs.exe
• HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTCurrentVersionWinlogonShell=explorer.exe

Known Variants

VirusBurst is a re-branded variant of other well-known rogue anti-spyware programs, including SpywareQuake, SpyFalcon, SpywareStrike, SpySheriff, SpyHeal and many other pseudonyms.

External links

I have to ask if you tried system restore first?

The slave drive will retain the original boot sector even if reformatted, you will need to turn off/disable the infected slave drive. then you may be able download a Zone Alarm "free" or temporary upgradeable security suite. Many other security soft ware get headlines but ZA doesn't advertise much as it is primarily a commercial program.

Yes the first thing I tried was a RESTORE command. To my surprise no restore points were listed except for the time I started the computer up that day. Over the next three days of attempting to remove this malware, I noticed it erased all previous restore points ( including its own) leaving only the last time the computer was started. Nasty!

Zone alarm as well as AVG and all the other anti virus programs I know of, are on the list of "prohibited" websites. Any attempt to reach their web page via the internet gets blocked by the malware. I described this in a previous email. So far I have been careful to not connect the infected drive into a computer along with a good drive. I suspected a cross infection was possible. Have seen that happen before. A thorough browse of old computer parts in my junk bin uncovered three more drives in usable condition. None of them bigger than 3 GB. All of these have now been checked and have WinXP installed. I found three old virus programs resident on the drives and including "Spybot search and destroy" Not surprisingly none of them found any virus on the infected drive. Yet the evidence of this malware is plain to see on my desk top.

I also tried to manually erase as many of the malware files as I could identify. So much so, that the computer no longer booted up. I had to do a REPAIR from the master CD containing WinXP. I did this using a Read-Only CD drive; just in case.

While checking the older drives I learned that doing a complete re-install would erase all previous program files of windows or windows related programs such as Office Suite which includes Outlook. Until I am assured of a good back up of my emails going back 10 years, that is not an option. 10 years of consultancy work would be destroyed.

I now suspect the kernel of the malware is resident in the master boot record. Looks like I would need to do both a low level and a high level reformat to completely eradicate this monster. Grrr!

I recently moved all my emails, contacts, tasks, etc. from my old laptop to my new desktop. Both are running XP, and both use Outlook (not outlook express). If I remember correctly, you use "Import and Export" from the file menu. First you export each Outlook database (Inbox, Contacts, Sent Items, etc.) to a *.psf file, and make a note of where these psf files are saved. Then you move all of these files to your new computer (or reformated old computer) using the 'Import from another program or file" option (I think).

To be honest I had some help with this, and am a little sketchy on the exact steps. Before you trust me you should check this link which seems to cover the subject:

http://support.microsoft.com/kb/287070

Hope this helps. At any rate I am sure that the Outlook info can all be saved, and then retrieved.

Thanks John. Its worth a try. Hopefully the virus will not be transferred along with the files.

I once saw a site with detail on how to create a set of floppies (about 6) that would work as a boot for XP. I can't remember where that was, but I found this. It may be helpful if you have a floopy drive and create a disc from the healthy HD.

Getting rid of Antivirus xp 2008 is nearly impossible.
But if your back ground is blue or has the little sign where it say (warning!your computer is infected with spyware)and the screen saver is the screen saver of the blue erorr code and when you right click on your desktop is missing the desktop tab and the screensvaer tab.You could something about that.Stert>run>gpedit.msc>click ok>you will be redirected to group policy>on the right click user configeration>Adminisrtative templates>controle panel>display>now click on hide desktop tab>now diable it and close the window>click on it again and enable it>ok now right click on your desktop>properties>desktop>now look at the name of the wallpaper you have>open a new note pad and write down the name of the wallpape>copy that code (the one you just wrote down in notepad)>goto start>search>and past the code and search it in all files and floder >once you have searched itthere will like 7files right click them and delete and go to recyle bin and delete them from there>now go back to group policy anddisable screen saver and then enable it>then restart your computer and change the wallpaper and the screen saver
And if you each step you will have your desktop back to narmal!
Oh and yeah,just ignore all of the minor pop ups done by antivirus xp 2008.Hope this helps!
Have a nice day!:)

Getting rid of Antivirus xp 2008 is nearly impossible.

REPLY: Yes that is the conclusion I have reached also. I used a USB external drive to save most of my data. A replacement hard drive is now being sent parcel post. The one thing I could not duplicate was to reinstall the CAD program I was using for a contract job I was doing. The IT guy who originally installed the program is sending me a CD for a new installation c/w install key plus registration number.

In the meantime, I think I have managed to fight the virus to a standstill. I located the root folder in which the core program was residing and deleted it. That was accomplished by booting from a CD containing self starting booting software that allowed me to view folders directly. I did not find all the DLL and other files imbedded by the malware. Probably because the files are hidden.

The malware folder was write protected by my external program was able to rename it. Then I was able to delete it. Curious! I had assumed renaming it would still have preserved the properties.

At this point, I can start and run non Microsoft programs like Mozilla, and AutoCAD, not to mention the Office suite programs such as Excel and WORD. I have warned my clients to be suspicious of anything coming from me and to not open it unless I indicate it's a safe attachment in the subject line of the plain text email. No HTML script allowed in outgoing email.

Once my new hard drive arrives and I can install a new operating system plus relevant third party software - plus appropriate anti virus protection - then I can reload my saved data.

The back up computer I cobbled together from old stuff cannot handle the big power user software. Not enough CPU speed nor enough RAM; but at least it gives me an email capability and ability to copy and move files around.

Once I have a new system running, the old drive gets flattened totally, reformatted and then tested with a trial install of XP.

Lets see if the malware survives that. If necessary I may have to erase and reconstitute the master boot sector. I assume a low level format is needed to do that.

A side bar on malware. I have now seen a peak of activity in malware infestations each august for six consecutive years. Is it just coincidence? August is when all the computer companies have a big sales push on for new computers for students gearing up for school. Suspicious minds would like to know!

In the past 12 years I have only encountered real bad nastyware on my own computers a total of 4 times. 3 times in the month of August and once in December. Also a busy time for computer sale. Hmm? coincidence???

Cool!

Beware 'antivirus 2009' is waiting in unverified links to open on your desktop. Before you encounter 'anti virus XP2008 or the new 2009 forbid the tell tale script from running on your machine and install Zone Alarm.

What exactly does the tell tale script look like as far as symptoms goes?

The mal ware is still blocking any attempts from going to Zone Alarm, or AVG, or Trend Micro website for anti virus software.

Primarily it is the codec (Zlob) which allows the install and it's exe. detailed in the e/m I sent. So when you get a clean disc and windows install restrict that script or codec.

The antivirus 2009 is Chinese or at least the precursor Zone Alarm rebuffed yesterday morning was written of the language.

Do protect yourself well; is better to have and not need than, you know that story...At one time I used two hardware routers plus two software firewalls buffered and I'm thinking on doing so again. Rather than what you've experienced

Hello Elnav

I was just curious if you tried the link I had set you downloads.com/CNet, or is the virus preventing that also. My thinking here is if you're still having problems getting antivirus software most open source software, or software that's available for a free trial can be downloaded through CNet. Even if they redirect to back to the vendors site there is a possibly it would fool the bug.

The malware seems to have the ability to learn from my actions. Some websites that provide anti virus software were open to me last week. Now these are also blocked! Right now I can "sort of" get to the internet by first going to global spec forum then hitting a link in a post. From there, I can sometimes get to other websites, provided I have a valid URL.

However websites like Google are now totally blocked. Neither Google.ca nor Google.com can be accessed. What I get is the blank screen with the "DONE" word at the bottom. By now I have learnt this means the malware interfered. My ISP reports that they see the connection broken from my end. (The malware in other words)

My ISP reports that they see the connection broken from my end

Being redirected

Firstly, I am pleased to see how well you are getting on, that is the only way to get around and fix such infestations.

I am pretty sure that the reformatted and with a new MBR, your hard disk will be OK again. But remove power from the other hard disk before installing XP on the old disk again, just in case!

What you must also review is your antivirus software, I go with Kaspersky (comes first in many tests in German magazines) as it does not significantly slow down your PC as does Norton/Symantec. That is a personal thing I noticed some years ago with their products. I used Antivira for a few years also before Kaspersky, also with no problems.

A good Firewall is also needed, Kaspersky brings one with it!

Also, if using DSL, see if there is a hardware Firewall that you can activate in the Modem, that is quite important too.

Make sure that you have anti-rootkit software (Kaspersky has that too) that you run each week.

Run AdAware and SpyBot Search and destry at least once a week with updates of course!

If you follow the above, you are pretty well covered, but still be careful what you click on in emails and websites.....

Hello Andy:

You're right about Norton AntiVirus slowing the system down. I've run outside benchmarks on machines over the years, and I would always disable my Norton when literally bench racing a friend to see who had the fastest computer.

The Kaspersky antivirus software looks good, additionally it is reasonably priced. Norton has always worked well for me, but supposedly due to the widespread popularity of Norton AntiVirus some viruses are written specifically to defeat Norton AntiVirus. One way or another Kaspersky looks like a good deal, may try it next time I have to pay for the updates to Norton again.

How do you get Kaspersky anti virus software if you can't buy it in a local store? How much is it?

Hi elnav

Sorry to hear all about your computer drama. I am just average at computer basher and an absolute novice at jousting with any virus.

I have learnt so much from your descriptions and the advice offered by the CR4 team. I just wanted to thank everyone for their efforts. It has a wonderful training exercise for me and probably a lot of other silent partners out there.

I am going to be adjusting my perimeter defences and polishing up the arsenal

Semper Fidelis.

Many thanks.

BAB

I was hoping somebody might get some benefit from seeing the details of how this virus attacks and affects the average user.

I'm by no means an expert. I have a nice padded cell (Isolated computer) in mind for this critter once I get my new hardware and software. It can try and do its darndest there without effect. Meanwhile I can take pot shots at it and gradually erase one file after another. At some point it has to die! Something like the chinese torture of a thousand cuts.

Mind you I would prefer to take this action against the programmer who released this virus upon the world. however I am told by my acquaintances who promote a capitalist free market, that its just business so it must be alright. After all; somebody is making a profit; Somehow.

$60

I've used ZA for many years but is very simple and effective.

I put a copy of antivirus and antispyware in quarantine so is invisible.

Buying software over the internet is NOT an option.

Especially with the possibility of the malware scooping my account number and pass word plus PIN number if I try to buy online.

My question was how do you get a copy of this great software when local computer stores do not sell it over the counter?

Staples offers Symantec, and Norton, and Norton by Symantec. Take you pick as long as its made by symantec. Go to any other store and they say we don't carry that, try Staples or buy online.

best buy, circuit city, OfficeMax, office depot.

Or go to website / customer service / live chat and ask them so you can arrange payment/shipment issues / get a disc.

security

Run AdAware and SpyBot Search and destroy at least once a week with updates of course!

If you follow the above, you are pretty well covered, but still be careful what you click on in emails and websites.....

REPLY: the irony is I have been running AdAware and other anti virus software like Symantec internet security. I have remained virus free for the past 4 years. I think the virus came in via an email that looked legitimate and which I was expecting. (How do you guard against something like that?) It was supposedly a tracking number for a parcel and I was expecting two parcels. This particular malware does shut off the Symantec fierwall during boot up. Ditto for the Windows Microsoft provided safe guards.

I don't surf the net and the websites I do visit are mostly those sponsored by Global spec or similar. Engineering specs, technical papers etc. My ISP does run anti-virus software (AVG and Their own) Even careful drivers occasionally get hit by other drivers despite their best efforts to avoid accidents.

Sh*t hapens!!

I think the virus came in via an email that looked legitimate and which I was expecting. (How do you guard against something like that?)

Using an Internet security suite which includes rescan of in box repeatedly after receipt and yeah

Sh*t happens!!

If you can get on Google, type antivirusxp2008. They have forums that tell you the exact steps, manually, on how to get rid of it. They also have programs you can download that will do most of the work for you and then part you must do on your own. Follow the directions specifically. Peruse the forums until you find one useful or where you feel capable of doing.

Good Luck

A friend did that and emailed me the instructions since I cannot access them directly. In his estimation the manual method is not just laborious, but extremely time consuming. The instructions close by recommending against doing it, but contact Spyhunter and buy (har har har) their software to do the job, for a mere $69.95 USD. Isn't that simply a more legalized form of extortion?

. . . . Ok I have picked myself off the floor and stopped laughing.

Seriously, I did manage to get a downloaded copy of the latest Norton, even newer than what I was running. Guess what? It would appear the malware was prepared. Every attempt to install Norton yields an error message to the effect a "setup error" ocurred and will require a restart. Which of course resets the clock and reinstalls the da*n malware intact. GGRRRR!

Firefox to the rescue. . . NOT!!

Firefox does allow me access to the internet; sort of, and is very slooooow. There is a website from a link in an earlier post that gives you the choice of downloading a new virus software package. Guess what? Once again the malware programmer anticipated this. Every attempt to access any of the big names ( except Symantec) is blocked. What you get after a two minute wait is a blank page with a tiny command line at the bottom saying "DONE" . As near as I can tell its an overlay because if you reduce but not minimize it, you can see another screen behind it. But as soon as you now try to activate any feature in that other screen window, you also invoke an error. Its pretty much designed to discourage any but the most persistent and somewhat knowledgable computer nerd. Since the name of the game is to subvert the computer to their use, not cripple and disable the computer completely, the malware doesn't totally screw up the functionality. Just gives the appearance of doing so.

This kind of malware is out and out criminal extortion. If someone was to physically threaten you and prevent you from earning your livelihood if you didn't pay protection money; it would be illegal; but because its done on the internet, apparently it is legal and the authorities won't do anything about it. Or else they are powerless. Take your pick.

You either pay legally sanctioned protection money ( official protection racket by marketing ) or you run the risk and suffer the consequences of pirates depriving you of the means of earning a living via the internet.

My guess is the malware programmer has learnt how to defeat Norton but not the other virus fighters. So to keep you from downloading something effective, the malware interfers with the attempt to download.

try going to a site called computerhope.com; there are some very good people on this site that I am sure can help you out. It is a five-star site, excellent people there.

I hadn't completely read through all the responses when I replied with my second p.m.
I didn't hear from my friend that picked up the same bug this afternoon, so he must've not had any luck yet. I notice you've already tried safe mode, as I mentioned he had gained administrative access, but was still experiencing many of the problems you describe.

He has a backup machine so he's been able to access the Internet to get software, and he's been able to load software through the flash drive, but unable to get it to run for the same reasons you've already mentioned.

A thought occurred to me though during my insomnia tonight, about one possibility with your data files. I always set up my machines with multiple partitions,I have always stored music, unloaded programs, and documents on partitions other than the primary partition, which makes it really easy to reload the computer without losing everything, generally Windows will even pick up orphaned files from programs that had been storing information on partitions other than the partition the program was on. I have never used XP to repartition a drive, in fact being a cheapskate I have just switched from 2000 professional to XP Pro, in December when I got tired of chasing the updates for 2000. Generally if I need to change the partition size on a loaded machine I use PartitionMagic, my thought here is you may be able to repartition your drive and move your data off the primary partition and reload, hopefully the problem would be isolated to the root section and operating system.

Of course there's a good chance this bug may prevent that, however I figured I'd field suggestion for all I know XP doesn't have the capability to add partitions to a loaded drive, however I'm sure someone else knows a lot more about XP than I do.

You can try Knoppix from a bootable CD that allows you to look at the infected disk, save data (to a new hard disk) without the infected hard disk being "booted", only read from....its what I recently did for a friend with similar problems......it will also rewrite the boot track on your infected disk when you eventually reformat it......

You certainly need an extra (USB?) drive to save your data to, that makes the whole operation much easier.

Thanks Andy! that suggestion earned you a GA.

My last virus attack was 4 years ago and I think a friend left me a CD with Knoppix on it. Its buried among stuff packed during a move, but I think I know where to find it.

Tell me more about how to rewrite the boot track. I am assuming the Knoppix from 2004 is still adequate for this task. If not, have you got a link where I can download a newer version.

A friend is mailing me a USB external drive but he is 3000 miles away and it will be 10 days before it gets here. I can get another friend who is only 600 miles away to download stuff and mail me the CDs. Even so, that also takes time.

Its one of the few downsides I have found about moving away from civilization. Hardly anyone here has computers and those who do, have slow dial up. I am extremely fortunate to be able to access the internet via Wi-Fi using a link provided through a provincial network connecting all the emergency service stations. Next node is 50 miles away. Only other method is via satellite link and they want $600 up front to connect you.

Hi Elnav,

you need a new version, goto:-

http://www.knoppix.org/

and download the bootable CD image.

Best of luck,

Andy G.

Hello Andy:

After I finished cussing you for posting a link to a page written in Greek (at lease it was Greek to me) I located the icon for the English version. Which I am downloading now. Looks like some good software to have lying around. As our poor comrade in arms has learned there's no such thing as having too many tools to work with. Obviously if you only have one machine it becomes a major problem to locate software after the fact. So thanks for the link.

Personally I panic if I don't have at least two operational machines, and collect anybody's junk, a 500 Pentium will get you on the Internet just fine.Unlike Elnav I live in an urban area, and have easy access to just about anything I need.

A lot of good information has been distributed in this thread.

From Elnav's plight as well as my friends, I realize there's no such thing as being too paranoid when it comes to protecting your data from outside attack (I've also learned not to back up my data to striped raid arrays. In a previous post I mentioned my five year old machine failed, since my wife does some accounting for the church she belongs to from home, if she doesn't have a working computer it's a fight for access to mine , it was going to cost me over $100 to replace the antiquated board to read the raid array, and I still would've been left with a out of date computer, I was able to purchase a brand-new low-end E. machine for $250 much faster and I didn't have to build it. I haven't backed up my data to it yet, needless to say I'm going to do that today.

PS: I previously had a lot of problems getting Red Hat and open source software to work, hopefully I'll have better luck with this.

YMROADRUNNER wrote: if you only have one machine it becomes a major problem to locate software after the fact. So thanks for the link.

Personally I panic if I don't have at least two operational machines, and collect anybody's junk, a 500 Pentium will get you on the Internet just fine.Unlike Elnav I live in an urban area, and have easy access to just about anything I need.

REPLY: I have scrounged used equipment from garage sales etc. but since the move here I had not got around to setting up a network. Most of the machines had old software like Win 95 and Win 98. Not the most convenient when my main machine was running XP. Tiny sized drives not capable of loading all the necessary programs is another issue. To my dismay I have discovered most recent software does not give yo uthe option of installing to and running from anythign but C:\ drive. The install wizard just assumes the computer only has one drive.

What is a striped raid array?

What is Red Hat open sourced software?

I have by now tried several of the recommended anti virus and spyware programs. All of them have one weakness in common.

They will detect virus software and even tell you what they do.

Unfortunately all of the "free" software want payment in advance before giving you the tool to remove infections.

Here is the catch! If you have a malware that logs your keystrokes and sometimes redirect you to bogus websites or else captures your credit card account number and your PIN when you make an internet payment; what good is it to first let the malware steal your data before you get the eradication software.

I know I have a program that records my credit card info, so what prevents them from capturing the transaction data and forwarding it before I can download and install the cure?

So these programs are a prevention; NOT a CURE after the fact.

My attempts to erase the known virus files have not yet met with sucess. Although I have removed those I know of, the problems persist. So some things remain hidden.

I have noted that any connection to a anti virus website now gets interrupted after about 2 minuts connection. Accident or intentional by the virus? Hmmm

Thanks! Any idea which site is the fastest? I tried several but each time got a message indicating the download would take 5 hours or more. My server times out if I try any download lasting longer than 1 hour. Its a safety precaution by the ISP.

Its only 700 MB why so long a download time?

Andy, for some reason I could not get a good download. I suspect the malware was responsible for interrupting the download. My ISP said they did not initiate a disconnect from their end.

Could I not use the older 2004 version of Knoppix? Unfortunately my german is so bad I can't read the instructions.

Is this site of any use ; http://www.knopper.net/knoppix-mirrors/index-en.html

Usual disclaimers from me.

I only recently used Knoppix, so I am unable to even guess as to whether the 2004 version will help you. If I was allowed a guess it would be a "don't bother!" Guess, sorry.

Can someone else download a recent version for you?

Had it also, back when it was called AntivirusXP 2006. The only real solution is to reformat the hard drive. Some of the other solutions work, but the computer never seemed to be quite right after they were tried.

I also came up with this plan to prevent more tears from my daughter about lost pictures and files:

1 I will not have anything on any of my computers that I cannot lose through reformating.

All you need is the first rule. I accomplished this by finding websites that offered free storage, usually 5 GB at a time without having to pay for it, on their servers. I was very fortunate when when I discovered X-Drive from AOL. My daughters a big AOL user, and teaching her to save to X-Drive was extreamly easy. I have an X-drive account for her, her boyfriend and myself. Now it seems that AOL is getting rid of X-Drive but there are many others, the one I'm shifting to currently is offered by Adobe when you upgrade to Adobe 9, so far it seems to be the easy use winner for teaching others to save files to, I now have 3 accounts with them, 5 gig each.

You indicated you use Outlook alot. Have you checked out Micrsoft Live Hotmail lately? They have their own called Spaces (also 5 Gig free) and, I'm not an Outlook user, I believe a Live Outlook also.

There are many out there, Earthlink, Yahoo, Gmail all offer them.

It may be of some interest to you that the the writers of antivirus 2008, 2009 may have made a very large mistake in sending out their malware as an Adobe flash update. Adobe apparently don't like that too much, you can tell that from their flash website, I would imagine their engineers are working on something for that problem.

As far as bookmarks and passwords go, I purchased two U3 usb thumb drives from Kingston, any of the top manufacturers will work just as well. I use Firefox for U3 for most of my net surfing and in the add ons, you can download and install Foxmarks, which saves all my bookmarks; etc, to their server for easy access from any computer anywhere. I have included both MSN.com and AOL.com in my bookmarks so I can easily access my accounts there from Firefox. I'm using my U3 now to to access CR4.

The only password program I use is also from the U3 website and it's called Signupshield for U3, it's one of the few programs I've paid for, but as well as I can see well worth the money ( You've probably guessed that I'm a big believer in FREE stuff).

I use GoodSync from Siber Systems (free version) to sync the U3 Drives it seems to really work well for me.

I have three computers that I use this system on, including a laptop with 32 Gig of music on it all of it saved. In July of this year, My 10 year old neice and myself found the Adobe 9 flash update the hard way. That was on a Thursday morning, gave all other users until Saturday morning (when I get up) to save anything they haven't already. Started full format (long Version, just to be sure) a little before 8AM. Had everything back by 2PM that day not working too hard at it.

I no longer have any spyware programs or anti-virus including windows security working. My personal laptop doesn't even have system restore running on it.

I will also tell you that I use RoadRunner Turbo 15Meg as my ISP and am behind a Netgear Prosafe FVS338 router. Ido use a Netgear WAG102 access point for my WiFi with the usual save guards. I don't care what anyone else says, putting your computers behind even a less expensive router (i have a D-link I use for back-up, 34.95 at best buy that worked very well when I had a lightning strike) is the best method for preventing unauthorized access.

I've found it's better to be fully prepared and very willing to reformat at the first sign of a problem rather than spend ten days fooling around trying to get around the threat and then not knowing for sure if you have succeeded in getting around it.

I hope you take some of what I said to heart and employ some of the methods I use to make the next time, and there will be a next time, easier to recover from.

I am a CR4 member who does't use his name and an Industrial Electrician by trade.

Electrical guest wrote: I will not have anything on any of my computers that I cannot lose through reformating.

REPLY: Thats fine except how do you do a backup of OUTLOOK emails when Outlook doesn't create files for the email but loads it all into a database. Unless you are an IT person and have a large server system available to you doing daily backup of OUTLOOK email is well nigh impossible certainly not practical. If there is an easy (meaning not time consuming) way, none of my computer savvy friends know of it.

As for saving stuff on a remote server, that doesn't work when you do not always have internet access. Also I have some reservations about having my data stored on somebody elses server in another country where the government has the right to snoop any time they want. Several of my acquaintances who work in computer security have expressed concern about this very issue. Don't give me the argument about if I have nothing to hide what am I worried about. I am talking about border guards who really know nothing but who have access to limited bits of data on me. When they put 2 and 2 together they get either 22 or 4 depending on ??.

I was once questioned by a border guard about me being a writer. That particular bit of information was only mentioned once previously at a border crossing 3000 miles away and five years previously. The process by which that guard came into possession of that particular snippet of info should raise a few eyebrows. I was once also excluded from doing work on a particular US government contract despite having the requisite work permits and being the designer of the system. I am on record as being critical of US government policy. That fact earned me a file entry in the home kountry security system.

What exactly is the U3 system and why is it so good?

Good point about the router. I now have one on order. Didn't think I needed one, with only one computer being used. Time to rethink strategy. Its been four years since I last got hit with a virus. I was beginning to think my protection system was working. That time the flaw was of someone else's doing. Thought I had plugged the hole in defenses.

There is a free Outlook backup program from Microsoft that you can download....look for it at:

www.microsoft.com

Andy where exactly on the website are you looking?

The only download I saw is Silverlight. Doesn't sound like that is what I want.

Elnav,

Here's a link to the Microsoft Outlook backup tool;

http://office.microsoft.com/en-us/outlook/HA010875321033.aspx

It says it works with Office 2002 and newer, but elsewhere it said with Office 2000 and newer, not sure which it is. This page also confirms what I've said about all the information being stored in one .PST file.

Tom

You said:Good point about the router

Routers are great, and they will save you from being attacked on ports that you do not use. They do not protect you on the ports that you must leave open, (not to disagree with the guest about the high-end unit that I know nothing about that may have additional features) so I would highly recommend installing spyware protection.

Not necessarily touting spybot search and destroy however besides being free, (although they accept donations) the newer versions have a feature that will not allow registry changes without approval, a pain when you try and load new software and I sometimes turn it off when doing that , but so far it seems to have repelled the XP antivirus malware.

From what my friend that got the virus yesterday described i.e. pop ups saying his computer had been infected, I've already been unsuccessfully attacked a couple of times. I hate to say that it is like begging a lightning to strike.

Also in reading through the post I noticed that others have been able to remove the earlier forms of the virus and commented that the machines never ran the same. The person I'm referring to that got the virus yesterday relayed the same information to me, (regarding earlier forms of the virus) he got it off but eventually ended up reloading because the machine was acting up. Just an FYI for whatever it's worth.

PS: I generally save my older machines and put them on the network to backup critical files on. However considering my five year old machines bias just crashed, and that the drives were set up in a striped raid array which would be recoverable but more trouble than it's worth. And that you've now scared the hell out of me with your horror story, I'm considering buying a USB portable hard drive I saw a hundred gig on sale a couple of weeks ago for about $75, so the next sale that finds me with any free money I'll probably get one, once unplugged the only way it can be attacked is to be stolen, and you can plug it in and read it in any machine.

You should go to www.u3.com for a tech description but the simple version is that it's an usb thumb drive that looks like any other. The exception is that there is a firmware program in it that allows it to launch itself as a boot drive allowing you to use the programs that you've put on it such as Firefox to run only from the u3 drive. The really neat trick is that when you eject the drive, it leaves no trace of itself on the computer that you've been using. There is a launcher program included on the drive that you can set up on your c programs that reduces the actual boot time from about 50 sec to less than 10, but it's not mandatory that you put the launcher on your computer, the u3 works just fine without it.

I've used it on a number of computers other than my own with no difficulty.

Be careful, u3 is not a portable application like Firefox Portable that you can put on any portable drive. I've tried to make a drive with portable firefox on it, but it didn't work anywhere near as well as the u3.

You can see more of the u3 programs availabe at www.software.u3.com.softwarecentral.aspx

as usual there are a large number of free ones, you should check them out, you might find something that suits your particular needs.

All the usb drive makers do have the u3, it's usually described as a U3 Smartdrive, mine are the early versions from Kingston at 1 Gig each but I believe they now go to 8 Gig.

About the router, most all of them have programs like Trend Mico already built in. They are very good at keeping people out, so good you can shut your self off from many websites (I know for sure, I did it to myself). My router has a box on the set up pages for what they call "stealth mode", there are a number of websites that test your computer for open ports and such and same, they have always come back as no open ports and the most they found out is the ip address of the cable modem but nothing past it. You'll have to play with yours when you get it to get it best for your circumstances.

As another side note, as I said before, I do not use outlook at all, I believe Firefox Thunderbird will pick up the outlook e-mails, if you get a chance you can look into that one also.

I don't know your particular needs and I'm only offering what I've done for my circumstances, maybe some will work for you, maybe not.

I do particularly enjoy the U3 drives. I got so tired of losing bookmarks and passwords for bank accounts and websites I just had to do something. The u3 seems to have solved that problem for me at least. I can travel without fear of being unable to log on to my stuff from any computer with a usb port, and then making sure there's nothing left behind for the crooks to empty my accounts.

I hope this helps you

I am so glad that you admit to being critical of the US system. That opens the door for me to admit being absolutely convinced that the majority of canadians are stark raving lunatics. Who is absolutely dunb enough to allow the language in their country to be 1/2 English and 1/2 shit.

There are several free rootkit cleanup programs available for download. Try looking for information about your problem on CNET. You may also want to check PCMag.com for a solution.

There's a lot of good information in this thread.

I use Kaspersky for protection and Spybot.

I also have a router that provides a firewall separtate from the Windows XP firewall.

I get spyware once in awhile but my anti spyware removed them ok.

Someone mentioned a site to look up for outlook back up program.

Even without that program, any email you want to save, you can still copy it as a file and archive it somewhere.

You can also just remove your hard drive and mail it to an IT Specialist. If the information is that critical to your livelyhood then the investment would be worth it.

A lot of people here are giving information to try to self-help, but sometimes the self-help methods waste a lot of time is after you've tried everything and never get any good results.

ElNav, I've encountered the same problem a couple of times on systems I administer. I was able to use an app called SmitFraudFix to clean it out.

NOTE: I only use this program as a last resort, and it sounds like you're at that point. SmitFraudFix was apparently written by someone who got really ticked off about malware making unauthorized changes to his OS. It's a very thorough process, which restores nearly all of the XP default settings. It even turns off any non-XP wallpaper or themes.

HERE is the home page for SmitFraudFix. Make sure you follow the directions exactly.

Elnav,

I think all versions of Outlook (not Outlook Express) save all the data in one file, it's the PST file, and has your contacts, calendar, all emails, etc. If you can copy this file, you have a backup of your email. Make sure you do not have Outlook running when you go to copy the PST file. Depending on how many emails you have, the file can grow quite large, but should fit on a USB drive, CD or DVD.

You should be able to install a different "master" hard drive to boot to, and be able to access your "infected" drive. I don't think having the "infected" drive running as a slave drive would cause your system not to start, my guess is you had a configuration problem with master/slave jumpers or a BIOS setting.

You did ask in one post if the virus may have overwritten your BIOS, and there are some that are known to do that, I'm not sure if this is one of them. If it is, then you will need to get it out of your BIOS before doing anything else, or any drive you connect could conceivably have the virus copied to it, and you will never have a clean system! If it were me, I'd hook up the infected drive via an external hard-drive adapter (USB type), get the most important data I wanted to salvage, then start again from scratch.

Good luck, and keep us posted on your progress.

Tom

I was told by an IT specialist that Outlook Express uses a file for email but OUTLOOK uses a database format. That is what makes OUTLOOK so difficult to back up.

Looks like I need to have an off-line computer set up to do backups at night when I am not using the computer. Maybe coupled with a disconnect switch for the DSL connection. At one place I worked it took six hours to do the complete backup every night. To meet the off-site storage requirements imposed by good practice and our insurance company; the first thing the boss did every morning was to collect the backup media nd deliver it to th eoffsite storage vault. What a pain! Later on offsite storage via internet became common. Much easier but just as expensive.

I actually maxed out my outlook capacity last spring. Acording to Microsoft, there is a finite limit to how many emails can be stored. I exceeded the limit and caused crashes. That was when I switched to Mozilla Thunderbird. But I keep OUTLOOK available for archive and back reference purposes. Its not unusual for someone to contact me for a follow up on something I did four or five years ago.

Hooking up the infected drive via a USB port looks like the way to go. I found a portable drive with a crashed drive ( might have been dropped) and placed a working drive in it. Kept getting a nerror message about high speed USB connected to a low speed port. Don't know what to do about that. Can it be fixed with software or is this a hardware issue? I have backed up al l data except my OUTLOOK at this point.

I was told that if I removed the memory battery from the motherboard for half an hour that this would drain any capacitors keeping flash memory alive including bios flash updates. I changed the memory battery on the mother board in my junk bin that I tried to use in cobbling up another computer. I guess the half hour was to ensure all charges in any storage caps was dissipated. Shorting out the batt term with a 1k resistor should do the same in a shorter interval.

My focus at this point is to build up new defenses. A router with additional firewall is in the works. A working external drive for additional backup is being mailed from a friend. Unfortunately he is on the other side of the continent and the package will take at least 10 days to get here. Next trip into town i am going to be looking for anti-virus software on a CD. At this point I have lost faith in symantec. After al this virus blew right through Norton and turned off he firewall. I turned it back on 4 times and found it turned off again later on. Definitely not just an oversight on my part. Once maybe but not that many times.

My thanks to all who have contributed valuable ideas and suggestions.

best regards

Elnav

Elnav,

I don't know where your IT specialist got his info, but he's wrong! When I was actively using Outlook Express, I remember transferring my mail by doing file copies, it had a file for each "folder" and an index file that indexed the folders, I would imagine it's still the same. Outlook uses a PST file, as I mentioned earlier, do a web search, I'm sure you can confirm my information.

Your "low speed port" issue means that computer you are using has USB 1.1 hardware, not the newer/faster USB 2.0. They are compatible, but the 1.1 will be much slower. My last computer had only 1.1, so I installed a USB 2.0 card, and disabled the onboard USB. No software fix for this one.

Removing the motherboard battery WILL NOT get rid of the virus if it has managed to get into the motherboard BIOS, the BIOS resides in FLASH memory, and will be retained even with no power/battery backup.

I feel your pain, I've had to clean up a number of infected computers in the last few years. I've become the "go to" person when friends/family have computer issues. Good luck!

Tom

ummm....there is a ready made fix available for this....just google it ........

Oh SURE! its called gimme your money! . . . or else.

Think about it for a sec. Someone realizes they have an infected computer. Then they get a demand for money. The Malware is designed to get their money. It has a keystroke logger. They want you to give them your account number or credit card number plus your PIN to transfer money to them over the internet using an infected computer. Right!

They get your private information including your access codes and PIN number. So what guarantee do you have this information doesn't end up someplace it shouldn't?

Even if it is a legitimate software company offering a cure, what's to stop the malware from stealing the information on its way to the legitimate company? One of the listed symptoms is diverting you to a bogus website.

What guarantee do you have this is not a bogus attempt to separate you from your money. According to what can be googled, that is exactly what this malware is used for and how it works.

If you believe them, maybe you would be interested in a the biggest scrap metal deal in history. ( a bridge) Or maybe you would be interested in some ocean front property in Arizona?

Suer there is a ready made fix. Flatten the drive! Unless of course the malware has kept you from backing up crucial software information. I have 99% of my data backed up. It's that one percent that would kill me if I lost it. Murphy strikes again!

Elnav,

From what I read that virus is residing in a central location on your computer, the bios.

At any rate when I run into something crazy and difficult that keeps coming back I use a very simple procedure that has always worked.

Turn off the machine.

Disconnect the power cord.

Open the case and remove the battery.

Wait a few seconds, return the battery and return every thing to normal. Restart your machine.

You will have to make some entries as the machine boots up but good chance you will have got rid of it.

j.

That's what I thought also. I removed the memory battery and replaced it back last tuesday. No difference! In one of the emails way, way back another poster pointed out that flash bios is not erased if you remove the battery. I can't find the email right now but I had mentioned also shorting out the power supply lines to the capacitors used on board to keep memory alive. I think that was when someone pointed out that this would not erase rewritable Bios ROM.

I once heard that virus can hide in the memory chips on the video card. Maybe if I remove th evideo card and nuke it in the micro wave that will sterilize it.

Has anyone ever heard of this company?

firewall@new--online-support.net

An email showed up in my email tonight advertising firewalls.

I deleted it; since it is advertising it's probably malware. Right??

Know before you go!

Quite so. However I have been told by people who should know that these days malware distributors have learned how to disguise their oferings and web pages to look alike legitimate companies.

Botom line is: you no longer trust anything being offering on the internet. I do not trust automatic updates because I don't know what the update might do. I do not trust anything like the advert mentioned in my previous email. Who are they and how can you possibly validate their honesty?

Given the prevalence of internet fraud , identity theft, key stroke loggers lurking (who knows where) and so on; its foolishness to even think of doing business over the internet. At least that is the message from police and internet security people who are quoted in the public newspapers.

Welcome to the brave new world.

Aw shucks lighten up will ya! Haha!!

Use external HD's and secure your info, create interesting tidbits for demo's and self regenerating and or mirrored responses activated if the vector is interrupted.

Put on a helmet, joint protection and gloves before surfing the net

www.blinkx.com/video/halo-3-how-to-unlock-all-amor-amour-animated-qwPHvTg1dg0fVrAm0n4Dfw

I think he's a bit "Shell-shocked", so don't blame him too much!

The saga continues!

I obtained another hard drive ( small 3 GB) and did a clean install from my original Windows XP disk. I then tried to install an anti virus package bought at the store. Its Trend Micro.

The antivirus package would not install because it detected missing service packs that were released since my original CD was burned. No surprise there. HOWEVER! When I tried to download the relevant service pack from Microsoft, I was informed this was not permitted since the request came from an area different than wher the original serial number was registered in. HUH??? how did they figure that out.

I eventually found a phone number and called Microsoft. Sure enough. According to their records this computer was far away from where it was supposed to be and it had the wrong hard drive. I explained that I had move 700 kilometers away since buying the computer and because of a virus infection had been forced to change my hard drive.

Too bad sir. Maybe if you can prove what you say we might let you re-register and validate your computer with the new hard drive in it. Oh sure! Except the 3 GB HD in use now was temporary, until the big drive arrives in a week or so. Does that mean I would have to go through this whole validation process one moe.

Yes they said. @&*#y!! H*#! I said.

Not to worry or wonder. VISTA has already phoned home and told them all about it. No secrets there. Its all collected at that unnamed floor in the federal building in St. Louis.

XP has that back door trojan too

There is software around to shut such doors, some of it is free too. The one I use also shuts down windows messenger completely if you never use it like me!!

Hello Elnav:

A thought occurred to me a couple of days ago but I figured your parts would have arrived by now.

Three or four years ago I solved the problem on my sisters computer, (she lives about 2000 miles away in Montgomery, Alabama,) by sending her a copy of pcAnywhere. Her son was still at home at home and let's just say he was doing some online anatomy studies. The computer was constantly loaded with spyware. Usually I can talk her through getting it off and getting the machine running again. In this instance there were some residual problems. At any rate whatever the problem was I was able to straighten it out. The other great thing was that once she had a copy of pcAnywhere was much easier to transfer large files or programs to her. For some reason I haven't had much luck with FTP protocols.

In less you have a copy of pcAnywhere physically available to you this is probably of little use. If you happen to have one there shouldn't be any problem transferring files way. In case you aren't familiar with pcAnywhere or similar products once set up you can remotely control the machine via the Internet. However since it does not use any type of browser to do this it's likely the virus would ignore anything being downloaded that way.

It and similar software have been very useful to me in the past. I had a building that I monitored and could make remote adjustments to the HVAC through my PC. And of course just as Murphy would have it , if I was in Alabama the building would be having problems. Since my machine had the software necessary for the remote interface with the building, it was the only system that had remote access to the building. Fortunately I had already dealt with my sisters problems so pcAnywhere was installed on both machines, and fortunately I thought about this before I left on vacation and left my machine booted, so was able to remotely access my machine and then remotely access the controls for the building.

Now to my point. Your dealings with Microsoft jogged my memory. XP has the same ability to be remotely accessed packaged in. I found this out when a friend of mine had a problem on his XP machine and someone at Microsoft support told them how to set it up, and they took remote control of his machine to fix the problem. I have no idea as to the extent of its capabilities, but should you have enough alcohol or tranquilizers available (I find it impossible to deal with Microsoft tech support sober) to you it's possible you could call Microsoft tech again and see if they could help you with your problem, or if direct file transfer is available. There's probably someone on the site that is used that feature it exists in XP. I'm sure many of us will be happy to link with your machine to send you the software that you been unable to download.

Hopefully Microsoft is useful for something besides pirating software. They protect their software like $.10 in sales would break the company, and incorporate features developed by other manufacturers into their operating system thus breaking the little companies. You'll have to give it to Bill Gates, he not only gets away with pirating the software, but also he eliminates competition legally.

Three or four years ago I solved the problem on my sisters computer, by sending her a copy of pcAnywhere.

REPLY

I had forgotten about that program. Haven't used it since DOS 6.0 was a current OS. After WIN95 came out I fell behind the curve. Prior to that I could manipulate files, directories and even rewrite configsys files and edit the registry with the best of them. Even made my own PC Anywhere cable from a schematic published by PC Anywhere. Nobody local at that time sold it. A computer is just a tool or an appliance as far as I am concerned. I have better things to do than bit diddling 16 hours per day.

I did know XP had a network since that is how they provide online tech support directly into your computer and also how they monitor system configuration. I just didn't think it was equated to PC Anywhere. Now that you mention it; its obvious. Probably doesn't even need the administrative password. One concern would be if the virus or malware can migrate to other computers in the network. As soon as you set up a local network; the system detects which computers are turned on or not. Uou get a cable disconnected message if you unplug one.

BTW a friend who is a computer dealer confirmed that XP and VISTA are one shot software. You are only allowed to install it once; on one computer. If you attempt to install it on a second computer and that computer is then connected to the internet, Microsoft finds out. Its probably another reason they issue so many patches on a weekly basis. By convincing people to select Automatic update, they can then track every computer. With VISTA every computer is linked to them and reports on internet activity. That is how the Vancouver cops caught the child porno ring only a few months after VISTA was released. One cop let it slip they used VISTA to track the international ring down. Question is, what else are they tracking and who has access to the collected data. Closing the back door would be like a red flag. Cause for immediate investigation.

I will probably let Microsoft have a crack at eliminating the malware once I have backed up all my data completely. After all the computer is running a legal and registered copy of XP. Only question being, how would they do that if the malware has totally corrupted Internet Explorer. Maybe if I loaded Mozilla Firefox that would circumvent the malware. I now use Mozilla for emails and that is how I can go to CR4 forums. But my attempt to then link to the internet and something like Google is redirected to sleaze websites selling crap such as teenage junk products or dating services etc.