how to make usb write protected

The main cause of viruses these days are USB flash drives. Viruses are now capabale enough to copy itself to whatever flash drive is attached into the infected computer’s USB drive. You can write protecyour USB drive by using this small portable tool.

USB WriteProtector is a portable freewarethat lets you lock your flash drives for write protection so that viruses or other unwanted things don’t get copied to your flash drive themselves.

After you enable write protection, you will not be able to write or delete any files from your flash drive and your data remains safe from being misused by viruses.

Compatibility

This 186 KB is compatible with Windows XP and Vista, and supports nice languages: English, Hungarian, Italy, Dutch, Polish, Portuguese, Russian, Chinese and Spanish.

http://www.gaijin.at/dlusbwp.php

converting FAT to NTFS file systems

Converting to NTFS

Although there are certainly third–party utilities that allow you to convert from FAT16 or FAT32 to NTFS (and may be cuter about it), you really don't need any special tool to perform the conversion—the necessary program is included on your hard disk as part of the Windows XP installation. To use this utility to convert your D drive, for example:

1. Close all open applications. This process may require a reboot, so be prepared.

2. Click Start, click Run, and then type cmd, and press Enter.

3. In the command windows, type:

convert D: /FS:NTFS

4. Press Enter.

That's it. If there are open files on the volume being converted, you'll have to reboot your system for the process to complete. And if this is a large drive that contains lots of files, the process could take a while to complete. I don't recommend that you try to do anything else while the conversion is occurring

FAT and NTFS file systems

To NTFS or not to NTFS—that is the question. But unlike the deeper questions of life, this one isn't really all that hard to answer. For most users running Windows XP, NTFS is the obvious choice. It's more powerful and offers security advantages not found in the other file systems. But let's go over the differences among the files systems so we're all clear about the choice. There are essentially three different file systems available in Windows XP: FAT16, short for File Allocation Table, FAT32, and NTFS, short for NT File System.

FAT16
The FAT16 file system was introduced way back with MS–DOS in 1981, and it's showing its age. It was designed originally to handle files on a floppy drive, and has had minor modifications over the years so it can handle hard disks, and even file names longer than the original limitation of 8.3 characters, but it's still the lowest common denominator. The biggest advantage of FAT16 is that it is compatible across a wide variety of operating systems, including Windows 95/98/Me, OS/2, Linux, and some versions of UNIX. The biggest problem of FAT16 is that it has a fixed maximum number of clusters per partition, so as hard disks get bigger and bigger, the size of each cluster has to get larger. In a 2–GB partition, each cluster is 32 kilobytes, meaning that even the smallest file on the partition will take up 32 KB of space. FAT16 also doesn't support compression, encryption, or advanced security using access control lists.


FAT32
The FAT32 file system, originally introduced in Windows 95 Service Pack 2, is really just an extension of the original FAT16 file system that provides for a much larger number of clusters per partition. As such, it greatly improves the overall disk utilization when compared to a FAT16 file system. However, FAT32 shares all of the other limitations of FAT16, and adds an important additional limitation—many operating systems that can recognize FAT16 will not work with FAT32—most notably Windows NT, but also Linux and UNIX as well. Now this isn't a problem if you're running FAT32 on a Windows XP computer and sharing your drive out to other computers on your network—they don't need to know (and generally don't really care) what your underlying file system is.
The Advantages of NTFS
The NTFS file system, introduced with first version of Windows NT, is a completely different file system from FAT. It provides for greatly increased security, file–by–file compression, quotas, and even encryption. It is the default file system for new installations of Windows XP, and if you're doing an upgrade from a previous version of Windows, you'll be asked if you want to convert your existing file systems to NTFS. Don't worry. If you've already upgraded to Windows XP and didn't do the conversion then, it's not a problem. You can convert FAT16 or FAT32 volumes to NTFS at any point. Just remember that you can't easily go back to FAT or FAT32 (without reformatting the drive or partition), not that I think you'll want to.

The NTFS file system is generally not compatible with other operating systems installed on the same computer, nor is it available when you've booted a computer from a floppy disk. For this reason, many system administrators, myself included, used to recommend that users format at least a small partition at the beginning of their main hard disk as FAT. This partition provided a place to store emergency recovery tools or special drivers needed for reinstallation, and was a mechanism for digging yourself out of the hole you'd just dug into. But with the enhanced recovery abilities built into Windows XP (more on that in a future column), I don't think it's necessary or desirable to create that initial FAT partition.

When to Use FAT or FAT32
If you're running more than one operating system on a single computer (see my earlier column Multibooting Made Easy), you will definitely need to format some of your volumes as FAT. Any programs or data that need to be accessed by more than one operating system on that computer should be stored on a FAT16 or possibly FAT32 volume. But keep in mind that you have no security for data on a FAT16 or FAT32 volume—any one with access to the computer can read, change, or even delete any file that is stored on a FAT16 or FAT32 partition. In many cases, this is even possible over a network. So do not store sensitive files on drives or partitions formatted with FAT file systems.

what is 16 bit MS DOS Subsystem

The 16 bit subsystem is what allows some older MS-DOS software to run in today's Windows NT and XP. It sets up a simulated MS-DOS environment, and many old applications can run fairly well. (This not to be confused with the Command Shell, which is a true 32 bit Windows application.)

But in this case it looks like some old 16 bit MS-DOS application is attempting to start when you log in. In fact, it's possible that the 16 bit debugging program debug.exe is being started.

If you had just installed some new software, I might suspect that as the cause. Especially if it was a new install of some old software package. However my assumption is that this isn't the case.

command.com and command.exe

you probably know, MS-DOS was the predecessor to Windows. It was character mode only, and you ran programs by typing their name at the command prompt. MS-DOS was created when 16 bit processors were becoming popular, and its widespread adoption is credited with kick starting the rise in popularity of the personal computer.

Then two things happened: Windows, and 32 bit processors. Fast forward to today, and MS-DOS has pretty much disappeared from the landscape - Windows, and its rich graphical interface, is everywhere. The same is true for the 16bit processor. Most all contemporary machines are built on various flavors of 32bit processors.

What does all that have to do with COMMAND.COM and CMD.EXE? It's quite simple really: CMD.EXE is a command line processor for 32bit Windows. Much like MS-DOS before it, it provides a character-mode only user interface into which you can type commands to run programs. CMD.EXE is a 32 bit program that is fully a part of Windows - in fact it's what gets run when you select Command Prompt on the Windows Accessories menu.

COMMAND.COM, on the other hand, exists only for compatibility and 16bit programs. It exists solely for those programs which have not been updated since the days of MS-DOS. It's designed to run 16bit applications, and operates just like the old MS-DOS did.

On the surface, they're very similar. Even though CMD.EXE was a complete re-write, it's based on the same concepts and similar syntax. But the differences become quickly apparent. Let's used your "CD" example from above.

In CMD.EXE, you can change to the "Program files" directory by doing this:

cd "\Program Files"
Note the quotes around the directory name. Try doing that in COMMAND.COM and you'll get this:

cd "\Program Files"
Parameter format not correct - "\program
The problem is COMMAND.COM doesn't know about long file names (filenames longer than 8.3) or filenames that have spaces in them, and it doesn't have a way to quote the name. So if you still need to, how do you CD to that directory in COMMAND.COM? Well, first you need to find out the alternate, 8.3 name of that directory ... its short name:

dir /x

Directory of C:\

08/21/2005 09:50 AM PROGRA~1 Program Files
(I've removed some of the lines of output for brevity.) The "/X" parameter to DIR tells it to include the "shortname" in the output. In this case that's "PROGRA~1", a machine generated alternative name for "PROGRAM FILES". Now we can CD to that in COMMAND.COM:

cd progra~1
dir

Volume in drive C is
Volume Serial Number is B026-62CA

Directory of C:\PROGRA~1

08/21/2005 09:50 AM .
08/21/2005 09:50 AM ..
03/24/2005 04:42 PM Adobe
...etc...
The bottom line is actually quite simple: use CMD.EXE unless you know you need COMMAND.COM for compatibility with some older 16bit program. And even then, if you try and run a 16 bit program in CMD.EXE, it will typically run it within COMMAND.COM for you anyway, so you still may not need to know or care.

And in case you're wondering, yes ... something similar is coming down the road as 64 bit processors begin to arrive. The 64bit version of Windows does, I believe, include another command processor, one for native 64bit command-line programs.

when does errors occur when USB2.0 devices installing in XP SP2

1. USB Mouse will rarely work after rebooting when SP2 is installed.
Unplug it & plug it back in. Unplug it & plug it back in again. (Repeat this procedure (x) number of times while at the same time applying random mouse clicks/deskslams until mouse works.

2. good operating Printer/Scanner combo (Dell) will not work when hooked up after SP2 is installed. Neither reinstalling drivers from CD, nor Downloading updated drivers or firmware from manufacturer, nor replacing cables,


"A USB device that is connected to a USB 2.0 hub is not detected in Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, or Windows Server 2003 x64 versions"

CAUSE: Microsoft Windows XP SP2 USB 2.0 driver causes an Enhanced Host Controller Interface (EHCI) specification violation.


MY OPINION (warning, I'm not a professional, but it worked)

SOLUTION: Since installing SP2 caused the problem, then revert necessary files back to the SP1 (working) version.

HOW:
After rebooting, the new hardware wizard will say it found new hardware. Normally, if you allowed it to automatically find the right files, it would take forever to search without finding the right files, and hardware will not be added. Instead, when new hardware wizard asks whether you want it to automatically search for files, don't let it. Do it manually.

Choose the device from the list then click 'have disk'. Browse to the folder on your C:\ where all drivers are stored (not sure if this folder is the same or exists on PCS other than Dell but my folder is c:\I386). First, The wizard finds the necessary USB Controllers (i.e., "USB Composite Device,” "USB Printing Support") but when continuing, it warns you that the files have not passed some logo test thing from MS . . . continue installing anyway.

IMPORTANT: Each device will have at least ONE missing file that it cannot find (i.e., usbccgp.sys, usbprint.sys). Do a search of your C:\ for this file name, and look at the detailed results for a folder having SP1 in the path. Point your Wizard to this folder for the requested file and VOILA! SUCCESS!

Once the USB controllers install a new (duplicate) device should show up (also with errors) in device manager. Follow the same steps to install drivers for these new devices and delete the original duplicate device from the list

CD-R drive or CD-RW drive is not recognized as a recordable device

CD-R drive or CD-RW drive is not recognized as a recordable device





Windows registry editing

Step 1: Back up the registry

Step 2: Edit the drive type value of the volume folder

Step 3: Verify that Windows recognizes the drive as a recordable device



When you try to burn data to a CD-R or a CD-RW, you do not have the option to send data to the CD drive.

When you view the properties of the CD-R drive or the CD-RW drive, you notice that the Recording tab is not displayed in the CD Drive (drive_letter:) Properties dialog box, where drive_letter is the letter of the CD-R drive or CD-RW drive.

Note To view the CD Drive (drive_letter:) Properties dialog box, click Start, click My Computer, right-click the CD drive that you want, and then click Properties.

Additionally, you may receive the following error message:
There is no disc in the drive. Please insert a writable CD into drive.
Back to the top

DUE TO :
This can occur when your computer incorrectly detects the drive as a non-recordable device.

Edit the Windows registry
To resolve this problem, try to edit the Windows registry so that the drive is identified as a recordable device.Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs.
Note If the drive is not listed on the Windows Hardware Compatibility List , the drive may not work with your computer’s built-in CD-copying functionality, regardless of the registry setting.
The HCL is a list of computer hardware that is compatible with a particular operating system. To see whether your drive is included on the Windows HCL, visit the following Microsoft Web site:
http://www.microsoft.com/whdc/hcl/default.mspx (http://www.microsoft.com/whdc/hcl/default.mspx)
Step 1: Back up the registry
To back up the registry so that you can restore it if you have problems later, follow these steps:a. Click Start, and then click Run.
b. In the Open box, type regedit, and then click OK.
c. Click to open the following folder:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives
d. On the File menu, click Export.
e. In the File name box, type backup of drives key, note the location where you are saving the file, and then click Save.

Note If you have problems later, you can restore this registry subkey by double-clicking the backup of drives key.reg file that you saved.

Step 2: Edit the drive type value of the volume folder
To edit the drive type so that Windows recognizes the drive as recordable, follow these steps:a. In the navigation pane of the Registry Editor window, click the Volume{GUID} folder under Drives, where GUID is a 32-character identifier.

Note If your computer has more than one CD drive, an additional Volume{GUID} folder is listed for each drive.
b. In the right side of the Registry Editor window, double-click Drive Type.
c. In the Value data box, type 1 if the drive is a CD-R drive or 2 if it is a CD-RW drive.
d. Click OK, and then close Registry Editor.

Step 3: Verify that Windows recognizes the drive as a recordable device
To see whether Windows recognizes the drive as a recordable device now, follow these steps:a. Click Start, and then click My Computer.
b. Under Devices with Removable Storage, right-click the CD-R drive or CD-RW drive, and then click Properties.
c. If the Recording tab is displayed, Windows recognizes the drive as a recordable device.
d. Click Cancel.
If Windows recognizes the drive as a recordable device, you should be able to burn data to a CD now. If you still have problems, follow the steps in the "Troubleshooting" section.
Back to the top

Troubleshooting
If your computer has more than one CD or DVD drive and the Recording tab is not displayed in the Properties dialog box (see step 3 in the "Edit the Windows registry" section), a drive may be configured incorrectly as "recordable" in the Windows registry. To resolve this problem, try changing the drive type of the drive you previously identified as a 1 or 2 to a type 3. Then change the drive type of the other drive to a 1 or 2. To try this, follow these steps:1. Follow step 2 in the "Edit the Windows registry" section to edit the Drive Type value of the Volume{GUID} folder whose value that you previously changed.
2. In the Value data box, type 3, and then click OK.

The drive type value of 3 indicates that the drive is a standard CD-ROM and is not a recordable drive.
3. In the navigation pane of the Registry Editor window, click the next Volume{GUID} folder.
4. Follow step 2 in the "Edit the Windows registry" section to change the Value data entry to 1 or 2, depending on the drive type.
5. Follow step 3 in the "Edit the Windows registry" section to confirm that the Recording tab is displayed in the Properties dialog box of the CD drive.
If the Recording tab is now displayed in the Properties dialog box, you should be able to burn data to a CD. If you still have problems, see the "Next steps" section.




This procedure may not work in all cases. This is only a workaround in a situation where the CD-R drive or CD-RW drive is capable of functioning in Windows XP and for some reason has been misidentified. If the drive is not on the Hardware Compatibility List (HCL), the drive may not work with the built-in CD copying functionality, regardless of this registry setting.
Back to the top

symptoms and solutions to win32generic host error

Symptoms:

* You are surfing the internet or are engaged any type of Internet activity when suddenly all your Network activity goes to hault. You can still see the Internet connected icon in the tray but you cannot surf, browse or do anything.
* You get an error message something like “Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.”
* Error message reporting about faulting netapi32.dll and svchost.exe.
* You try to disconnect your Internet because of no activity observed but the Internet icon wont disappear.
* You recieve an error message something like “Your PC has recovered from a serious problem” etc.

Solution:

Follow these simple steps and your Windows will be fully cured of this menace :D

Close Port 445:

1. Start Registry Editor (Regedit.exe) by clicking Start menu, and then click the Run icon.
2. In the small box that Opens, type: regedit then click the OK button. The Registry Editor will now have opened.
3. Locate the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters
In the right-hand side of the window find an option called TransportBindName.
Double click that value, and then delete the default value, thus giving it a blank value.

Close Port 135:

1. Then you must now navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
2. You will see there is a String Value called: EnableDCOM
Set the value to: N (it should currently be Y)
3. Close the Registry Editor. Shutdown and Restart your computer.

Well thats all :) but if you want you can disable NETbios.

how to fix WIN32 generic host error while connected to internet

Here are 4 new solutions to the Generic Host For Win32 Error in Windows:

Solution# 1:

1. Hop to ‘Run’ and open ‘Regedit’
2. Navigate to:
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > Browser > Parameters
3. Find the Key
Name: IsDomainMaster
and set
Data: False



4. Restart Your PC

Solution# 2:

1. Go to ‘Run’ and open ‘cmd’
2. Type ‘netsh’ in command console then press enter
3. Then type ‘winsock’ and press enter and then type reset
4. Restart Your PC

Solution# 3:
Get the LspFix and follow the steps as directed

Solution# 4:

Get the Microsoft Update Patch and apply it. Thanx to Nirmal for this.

I hope one of these solutions will definitely help you rectify the erorr

Moreover you can always see my old guaranteed post about Fixing Generic Host Error

Windows errors related to monitor.exe?

Windows errors related to monitor.exe?
monitor.exe is a service which is a part of the Microsoft Server operating system, and is specifically related to monitoring hardware components for performance bottlenecks.

virtual memory errors in miscrosoft vista os

Question:

I am running Windows XP or Vista and continue to get a warning message from my computer telling me that my system is low on virtual memory. Can someone tell me why this is and how to fix it?


Answer:

Before you can begin troubleshooting virtual memory, you need to understand what it is and how it works.

The easy answer would be to increase your RAM, but there are several factors that could contribute to your issue, so we'll start at the top.
If you are running a Windows XP machine and typically have several programs running, I would recommend no less than 512MB of RAM. A lot of manufacturers recommend only 256MB of RAM, and I believe Microsoft says that 128MB is sufficient. I would argue both of those by saying that most users do more than one thing at a time on their computer and from personal experience, more is better in the world of RAM. Windows Vista is a whole different animal with a recommended 1BG minimum, but with teh prices of RAM dropping significantly every day, its not difficult to exceed the recommendations.

RAM vs. virtual memory:

RAM is the amount of physical memory installed on your computer. It acts like short-term memory, enabling programs to load and operate faster. When you start a program or an application, it uses a part of that memory. Most programs will require at least 32MB of RAM. If you look in your system tray (next to the time), there are usually four or more programs running (antivirus, firewall, and so on). Those background programs alone require 128MB. Then if you use any programs, such as a Web browser or a word processor, it requires more memory.

Windows makes up the difference for that amount of RAM requirement by allocating or reserving a portion of your hard drive to act as though it were RAM. That's what is referred to as virtual memory, or page file. The less RAM you have the more virtual memory is allocated. Windows typically manages that for you. As a standard rule of thumb, Windows creates a virtual memory of 1½ times your physical RAM. So if have 256MB of actual RAM, Windows pagefile (virtual memory) will equal 384MB.


Managing Virtual Memory:

Unless you are an experienced user, you should allow Windows to manage this setting for you. Your issue could arise if somehow the default settings have been changed. To begin with diagnosing your problem you should follow these steps to ensure that Windows is properly managing your Virtual Memory settings.

1. Find out how virtual memory is being managed. Rt-Click "My Computer" and choose "Properties". Click the Advanced tab, then under Performance click Settings.

2. That opens your Performance Options. Click the Advanced tab. For the "typical" home user Processor Scheduling & Memory Usage should be set to "Programs".

3. Under Virtual Memory, click the Change button.

4. That opens you Virtual Memory options. If you have more than one hard drive, make sure that your Main hard drive is selected under "Drive".

5. Under "Paging File Size for Selected Device" check the box that says System Managed Size.

6. Click Ok on all 3 boxes to close out of those settings and Restart your Computer.

Now, if you are still receiving the warning messages and you have ample RAM, you move on to the next step. You should try to eliminate as many background services as possible (all those in the system tray, next to the time, for starters). For safety reasons, you should make sure that your Anti-virus and Firewall are always running. Most of the others can be set not to run in the background by opening the program, select its settings and uncheck or disable the part that says "System Tray". On my personal computer, I only have three that load into the system tray at start up, My Antivirus, Firewall, and an Audio volume icon.


RAM Hogs:

Check your system Tray- A lot of programs that people install, like Real Player or QuickTime, or an Instant Messenger, by default want to run in the background and put an icon in your system tray even though you may not need them to always be on. Eliminating as many of those background services as possible will free up the demand on your RAM. Avoid installing programs that supposedly "Free up" your RAM. They tend to increase your pagefile size and ultimately reduce system performance.


Good Housekeeping:

You should also follow through last week’s submission, "Keeping your Windows machine running lean, clean, and mean" and be sure that you maintain for your computer… Keep Windows Up to date, Virus Free, protected with a firewall, eliminate "SpyWare", clean up your temporary files, etc. Basically, a clean computer is a happy computer.

Those are the "BEST PRACTICES" that can be recommended. Now there are other known causes that trigger the warning that your Virtual Memory is running low. To properly determine what it is would depend greatly on whether it happens when you start your computer, at shut down, or intermittently (just "out of the blue" from time to time).

You should read Microsoft’s Knowledge Base articles to see if either applies to you:

Article #315351:
http://support.microsoft.com/default.aspx?scid=kb;en-us;315351

Article #811153:
http://support.microsoft.com/default.aspx?scid=kb;en-us;811153

why my computer turns on itself?

Question:

I find at various times of the day or night that my computer turns on all by itself. What causes this, and how do I get it to stop? Running Windows XP Pro.

Answer:

Computer turns on by itself:

The ghost machine that turns itself on and off is a fairly common problem. When a computer mysteriously does this, it's a BIOS issue. If you are unfamiliar with the system BIOS, read a couple of the previous articles about changing BIOS settings and be sure to see the note below.
You typically enter BIOS by restarting your computer and immediately pressing the Delete key repeatedly until you enter the BIOS Utility Screen (usually in blue). The fix is fairly easy.


Once in BIOS, go to Power Options (refer to the owner's manual if you do not know where it is).
Scroll down to Wake On LAN and/or Wake On Ring and change them to Disable. This will prevent Scroll down to Wake on LAN and / or Wake on Ring and Change them to DISABLE

This will prevent the computer from being able to come out of its power down mode whenever the phone rings or if LAN activity occurs (ie: you have another computer in the house on a network and someone logs on to the network from there).

Press F10 and choose YES to save settings and exit. Your system restarts and the problem should be fixed.

NOTE: USE EXTREME CAUTION in BIOS. Changing the incorrect settings may cause your computer to not be able to reboot or operate.

I Can't Access My Files: "Access Denied error

Windows XP | Access Denied Errors
Question:

I run Windows XP Pro and I recently had to recover from a crash. When I restored my backup files and folders I get an error that says "Access Denied", even though I am logged on with Administrative rights.


If you are unable to access a file or a folder, you must take ownership of that file or folder. When you do this, you replace the security permissions to have access.

NOTE:
If you are using Windows XP Professional, you must disable Simple File Sharing. By default, Windows XP Professional uses Simple File sharing when it is not joined to a domain.
See KB 307874 (http://support.microsoft.com/kb/307874/) How to disable simplified sharing and set permissions on a shared folder in Windows XP
How to take ownership of a folder

NOTE:
You must be logged on to the computer with an account that has administrative credentials. If you are running Microsoft Windows XP Home Edition, you must start the computer in safe mode, and then log on with an account that has Administrative rights to have access to the Security tab.

To take ownership of a folder, follow these steps:

Right-click the folder that you want to take ownership of, and then click Properties.
Click the Security tab, and then click OK on the Security message (if one appears).
Click Advanced, and then click the Owner tab.
In the Name list, click your user name, or click Administrator if you are logged in as Administrator, or click the Administrators group. If you want to take ownership of the contents of that folder, select the Replace owner on subcontainers and objects check box.
Click OK, and then click Yes when you receive the following message:
You do not have permission to read the contents of directory folder name. Do you want to replace the directory permissions with permissions granting you Full Control?
All permissions will be replaced if you press Yes.
Note folder name is the name of the folder that you want to take ownership of.
Click OK, and then reapply the permissions and security settings that you want for the folder and its contents.


How to take ownership of a file
NOTE:
You must be logged on to the computer with an account that has administrative credentials.
To take ownership of a file, follow these steps:

Right-click the file that you want to take ownership of, and then click Properties.
Click the Security tab, and then click OK on the Security message (if one appears).
Click Advanced, and then click the Owner tab.
In the Name list, click Administrator, or click the Administrators group, and then click OK.
The administrator or the Administrators group now owns the file. To change the permissions on the files and folders under this folder, go to step 5.
Click Add.
In the Enter the object names to select (examples) list, type the user or group account that you want to give access to the file. For example, type Administrator.
Click OK.
In the Group or user names list, click the account that you want, and then select the check boxes of the permissions that you want to assign that user.
When you are finished assigning permissions, click OK.
That's it.. you should now be able to access your files and folders accordingly. If you have any further questions, feel free to email me anytime.

hard disk not getting defragmented!!

Question:

I run Windows XP Pro and am experiencing a couple of problems with my computer. I use Windows Update regularly. After doing an update, I usually defrag the hard drive. However, I now receive a message saying that the hard drive cannot be
defragged. What is the cause of this, and how can I solve the problem?

Answer:

Defrag issues:

The defrag problem can have numerous possible causes. Also, there's more than one issue going on here (and a lot of the answer depends on how your system was built to begin with). So, we’ll tackle these problems one at a time. A couple of scenarios could cause you to be unable to defrag your hard drive, and each of them is very specific.

1. The main key here is that you said this happened after you did an update. The best way to see if it was that particular Windows XP Hotfix is to uninstall the actual Hotfix that caused the issue. To achieve this, go to Start > Setting > Control Panel > Add/Remove Programs and scroll down to find the Hotfix that is under suspicion and uninstall it, then reboot the computer and try to run defrag again.

If you aren’t sure which one it was, you will have to do this process multiple times until the computer is back to normal. You can always go back to Windows Update and download them again if you inadvertently removed one that was not causing the issue.

NOTE: It is a BEST PRACTICE to download updates one at a time to avoid this issue in the future. Be sure to read the known issues with Windows Service Pack 2, before you update to that. Windows provides a lot of information at this webpage: WINDOWS SERVICE PACK 2:
http://support.microsoft.com/default.aspx?scid=fh;EN-US;windowsxpsp2


2. Another common issue that causes you not to be able to defrag a hard drive is if you have “ bad sectors” on your hard drive. Bad Sectors are areas on the actual hard disk that is either physically failing or has bad data written to it. It used to be detected & fixed by Scandisk on previous versions of Windows, but has been replaced by “Checkdisk” on Windows XP.

CHECKDISK: Goto My Computer, Right-Click the hard drive you want to check, select Properties > Tools then under Error Checking click the “Check Now” button. A dialogue box opens, select Fix File System Errors and click Start. This can take a while, so be patient.

NOTE: If the drive that you want to fix is the system drive, there will be open files on the drive. You will see a dialog box announcing that the utility needs exclusive access to operate and can't gain that access unless you re-start your computer. Click Yes.
XP will re-start in character mode, meaning that you can't do anything other than run the utility. Unless you strike any key within ten seconds of seeing the restricted boot message, Check Disk will run. After Check Disk has finished, you will either see Disk Check Complete (no errors) or a list of errors and repairs.
IF for some reason you are unable to perform this task, boot into SAFE MODE (Reboot > Press F8 repeatedly, immediately after restarting until a screen opens giving the option to boot to safe mode).


3. If you have upgraded your computer from a previous version of Windows (ie: ME or Win98) and did not choose to convert your filing system to a NTFS, then you are limited by the space that Windows needs to complete the job. If your hard drive has less than 15% space remaining then you would run into this issue.
If you would like to convert your system to NTFS, Microsoft provides a utility in Windows XP and a detailed explication on the procedure here:
Microsoft KB Article: 314097 http://support.microsoft.com/default.aspx?scid=kb;en-us;314097

Because there are so many things that can contribute to these issues, I would encourage you to keep us posted on whether or not this fixed your problems. A lot of this are the 1st steps in diagnosing an issue and may require further steps to COMPLETELY fix your system. I hope this helps with your situation. IF you followed all the steps above and are still having issues, then I would encourage you to reply to the submissions and I can help you further diagnose your particular problem.

How to Create a Multisession Data DVD ?

One of the new benefits of a DVD Burner being included on almost every computer you purchase these days has to be the ability to back up large quantities of data on a single disposable disc. The DVD format is capable of holding 4.7GB of data, thats about 120 minutes of video. This is wonderful news for those who want to burn their personal videos to play on their home DVD players, but what if you want to use it to backup files and folders?

Using the "multi-session" feature within your software, you can do incremental back-ups of your system data. By using this feature only the data the has changed gets re-written. This update feature is wonderful for saving time on large back-up operations.



Using Roxio Nero Express | Nero Burning ROM (PC Only)

Launch Nero Express from the Start Menu - Go to Start, All Programs (Programs in Windows 98), Nero, and Nero Express - or use the icon on your Desktop. This will bring up the Nero project page.
Nero Express will ask, "Which recorder would you like to use?" Be sure to select your DVD-R/RW and not the CD-R/RW.
Click the Add button to select the files you would like to burn. A window will appear that looks very similar to Windows Explorer and from here you are able to choose the files you would like to record and save on disc.
Navigate to the folder that contains the files you wish to add.
Select one file by clicking on it.
Select several random files by clicking the first one, and then holding down the CTRL key while clicking on the additional files.
Select all of the files, by right-clicking on one of the files, and then left-clicking on Select all.
Once you have selected your file(s), click the Add button. Repeat this process until you have added all of the files you wish.
Click the Finished button. This will return you to the previous screen. A gauge at the bottom of the screen will tell you how close you are to filling the DVD. As long as the bar is blue, you are okay.
Once all your files have been added, click "Next" to prepare your disc for burning.
Choose your burn settings:
Current Recorder - The supported burners you have connected to your PC will be displayed and the Image Recorder if you chose to save to your hard drive.
Disc Name - Select a title for your disc.
Writing Speed - Select the speed in which you would like to burn.
Number of Copies - Select the number of copies you would like to burn.
Allow files to be added later - select Yes.
Verify data on disc after burning - It is a good idea to tick this box.
Click the Burn button. As you are burning, you will see a moving status bar indicating the progress of the recording process.
Wait patiently for the blank disc to be written. When finished, Nero will inform you that the process is complete. Click OK.
After the successful recording, you will be returned to the recording window. Click "Next" to move forward to a window that will ask what you want to do now that you have finished this project. In the meantime, Nero will eject the newly created DVD

CD /DVD Related errors

CD drive or DVD drive errors may cause unexpected program crash in Windows XP


SYMPTOMS
When you start or run a program in Microsoft Windows XP, the program may crash when it tries to read valid data from or write valid data to a CD or DVD drive. You may receive the following error message:
Program_name has caused and error and must be closed.
We apologize for the inconvenience. If you were in the middle of something, the information you were working on might be lost.
Please tell Microsoft about this problem. We have created an error report that you can send to help us improve Program_name. We will treat this report as confidential and anonymous.
CAUSE
This problem occurs when Windows XP cannot access a file because of a problem with the CD or DVD drive or with the drivers for the CD or DVD drive. When this problem occurs, Windows XP closes the program.

WORKAROUND
To work around this problem, follow these steps: 1. Identify the file that cannot be opened. To identify the file, follow these steps: a. Click Start, click Run, type EVENTVWR, and then click OK.
b. In Event Viewer, click Application log.
c. Click the Source column heading to sort the list by source and to list all the Application Error sources at the top of the list.
d. Search for an event with a source of Application Error and an event ID of 1005.
e. Double-click this event.
f. The file that cannot be opened will be listed in the Description box. Note the file name, and then close Event Properties.

2. Try to open the file again. The problem may have been temporary and may not occur when the program runs again.
3. If you still cannot open the file, determine whether other files on the same CD or DVD can be opened. If not, the CD drive or DVD drive may be damaged or the device drivers may be damaged. To resolve these problems, contact your administrator or computer hardware vendor for more help.

How to fixCD or DVD related errors ?

After you remove a program from your computer, you can no longer access the CD drive or the DVD drive successfully. The CD drive or the DVD drive does not appear. Or, you receive an error message when you try to access the drive. This article contains two methods to resolve this problem. One of the methods requires that you manually modify the Windows registry to remove the UpperFilters registry entry and the LowerFilters registry entry.
Symptoms of the problem
In Microsoft Windows XP, after you remove a CD recording program or a DVD recording program, or after you remove a different program, you experience the following symptoms:• You cannot access the CD drive or the DVD drive by using My Computer.
• One of the following error messages appears when you view the CD drive or the DVD drive in Device Manager:

Error message 1
The device is not working properly because Windows cannot load the drivers required for this device (Code 31).
Error message 2
A driver for this device was not required, and has been disabled (Code 32 or Code 31).
Error message 3
Your registry might be corrupted. (Code 19)
• You receive an "error code 39" error message.
• A message that resembles the following appears in the notification area:
Windows successfully loaded the device driver for this hardware but cannot find the hardware device. (Code 41)
Method 2: Manually delete the registry entries
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/) How to back up and restore the registry in Windows
Log on to Windows by using an account that has administrator rights and permissions. Then, follow these steps.
Step 1: Start Registry Editor
Click Start, click Run, type regedit, and then click OK. Registry Editor starts.
Step 2: Delete the UpperFilters registry entry
1. In Registry Editor, expand My Computer, and then expand HKEY_LOCAL_MACHINE.
2. Expand SYSTEM, and then expand CurrentControlSet.
3. Expand Control, and then expand Class.
4. Under Class, click {4D36E965-E325-11CE-BFC1-08002BE10318}.
5. In the right pane (topic area), click UpperFilters.

Note An UpperFilters.bak registry entry may also appear. To delete the UpperFilters registry entry, you must click UpperFilters and not UpperFilters.bak.
6. On the Edit menu, click Delete.
7. When you receive the following message, click Yes to confirm the deletion of the UpperFilters registry entry:
Are you sure you want to delete this value?
The UpperFilters registry entry is removed from the {4D36E965-E325-11CE-BFC1-08002BE10318} registry subkey.

Note Do not exit Registry Editor. You must have this program for the next step.
Step 3: Delete the LowerFilters registry entry
1. In Registry Editor, expand My Computer, and then expand HKEY_LOCAL_MACHINE.
2. Expand SYSTEM, and then expand CurrentControlSet.
3. Expand Control, and then expand Class.
4. Under Class, click {4D36E965-E325-11CE-BFC1-08002BE10318}.
5. In the right pane (topic area), click LowerFilters.

Note An LowerFilters.bak registry entry may also appear. To delete the LowerFilters registry entry, you must click LowerFilters and not LowerFilters.bak.
6. On the Edit menu, click Delete.
7. When you receive the following message, click Yes to confirm the deletion of the LowerFilters registry entry:
Are you sure you want to delete this value?
The LowerFilters registry entry is removed from the {4D36E965-E325-11CE-BFC1-08002BE10318} registry subkey.
8. Exit Registry Editor.

Step 4: Restart the computer
If a CD recording program no longer works after you restart the computer, you must reinstall the CD recording p

How to save battery power in windows Vista laptops

Now a days those who by Laptop computers they are using Windows Vista Operating System.

In this WindowsVista there is Aerouser interface, Windows Slidebar features. Because of this bettery life gets down.

so go for this url http://www.codeplex.com/vistabattery there will be a programme named vista Battery saver download that programme it will give u a different type of power files that u can install in u'r laptop . this will give good backup for the battery

How to cahange Windows bootscreen safe?

Now a days all are using some sharewares that change the boot screens.

But after unsinstallong these there is a way of not booting also and the system kernell may be currupted.

There is a good way to solve these

use http://www.stardock.com/products/bootskin/index.asp

in this url you can get Bootskin programe for free.

after installing it go to http://www.wincustomize.com/Skins.aspx?LibID=32 for getting screens

How to desable Runas option on mouse right click?

you all know when u run an application by your mouse right click like this

this options appear so to desable these options u can modify registry like this

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\Policies\Explorer


go to Hide RunAsVerb

create a DWORD and give the valu as 1
then u can remove Runas option in context menu

u can see Run only

W32/Zhelatin.gen!eml

This is a generic detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download. On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed. The script which is used for the drive-by download is detected as JS/Downloader-BCZ.
Characteristics

Characteristics -

This threat is updated on a daily basis.

For the latest on the tactics used by this virus family, please check the Avert Blog.
This is a detection of spammed email messages used to entice users into visiting sites hosting exploits that would result in a drive-by download.

User receives an email titled “You’re received a postcard” in his inbox and is requested to open the link contained in the message body in order to view the virtual postcard.

On visiting the link, a cocktail of browser and application exploits that attempts a drive-by install of malware on the users machine is performed.

A copy of the spammed message is as follows:

Note: The link in the message has been sanitized to protect users from guessing.
Symptoms
Presence of the W32/Zhelatin.gen!eml detection is not an indication that a system has become actively infected.

The from address is spoofed when sending infectious email messages and therefore, it can not be assumed that the from user address is any indication of which user may actually be infected.The following list of subject lines have been observed in the wild:
You’ve received a greeting card from a admirer!

You’ve received a greeting card from a class mate!

You’ve received a greeting card from a class-mate!

You’ve received a greeting card from a colleague!

You’ve received a greeting card from a family member!

You’ve received a greeting card from a friend!

You’ve received a greeting card from a mate!

You’ve received a greeting card from a neighbor!

You’ve received a greeting card from a neighbour!

You’ve received a greeting card from a partnerCustomers should simply delete all email messages identified as W32/Zhelatin.gen!eml.
Method of Infection
The URL in the message points to a site hosting the a cocktail of browser and application exploits. On visiting the site, a silent drive-by install of malware is attempted on unpatched machines.
Removal -
A combination of the latest DATs and the Engine will be able to detect and remove this threat. AVERT recommends users not to trust seemingly familiar or safe file icons, particularly when received via P2P clients, IRC, email or other media where users can share files.
Additional Windows ME/XP removal considerations

what is Sohanad.AE

Sohanad.AE is a worm. The worm will infect Windows systems and spreads through Yahoo! Messenger, a popular instant messaging application.

The worm arrives as a downloaded file via Yahoo! Messenger.

Upon execution, this worm copies itself as SVHOST32.EXE and SVHOST.EXE in the Windows folder.

The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates the following registry keys to modify the settings of Yahoo! Messenger.

HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_buzz
HKEY_CURRENT_USER\Software\Yahoo\pager\View\YMSGR_Launchcast

The worm also modifies the registry to disable Registry Editor and Task Manager.

It also changes the Internet Explorer (IE) home page to;

http://(BLOCKED)coolpics.net

This worm propagates via Yahoo! Messenger by sending an instant message to all the contacts of an active user. This message contains a link to a remote copy of itself. When the recipient clicks the link, a copy of this worm is downloaded and executed on the recipients' system.

The details of the message sent out by this worm are;

Do you realize who is in this image: http://{BLOCKED}coolpics.net/who.jpg . Just think for a moment and tell me soon ;))
:D who is beside you in this pic http://thecoolpics.net/friendpic1.jpg so good-looking
:( the page cannot be displayed http://{BLOCKED}coolpics.net/error.jpg Something was wrong !!! Check it again and tell me later. THanks
Images shot in Iraq _ The war will never end http://{BLOCKED}coolpics.net/Iraqwar.jpg << :(
Miss World 2006: http://{BLOCKED}coolpics.net/MissWorld.jpg !! <<
oh my god , i've won a 20000 usd lottery :O http://{BLOCKED}coolpics.net/mylottery.jpg <<

It also attempts to connect to the following website to download and execute some malicious files.

http://{BLOCKED}vey-sales.com/ipn/transactions/en.exe
http://{BLOCKED}vey-sales.com/ipn/transactions/link-en.exe

The worm tries to terminate some of the security related processes.

This worm first appeared on November 12, 2006.

Nhatquanglan Virus?

A Nhatquanglan Virus?

Sit along with me as you discover what are the three files that make up a Nhatquanglan virus infection and how you can protect yourself from a possible threat to your personal security. A Nhatquanglan Virus is a really annoying virus that takes away your power over your PC by blocking important programs from running.

It disguises itself as a folder but is actually a program that sends out your personal information over the internet for everyone to see. You may or may not have a Nhatquanglan virus on your PC yet, but to be safe, it would be wise for you to discover how it can affect you and ways on how to protect yourself.

When you forgot to take care, below are just some of the ways this virus can affect you.

Nhatquanglan Virus blocks Device Manager

Device Manager is the page where you manage everything that is connected to your PC. This includes hard disk drives, modems, printers, monitors - you name it, it’s there. You use this to replace old software that makes a particular computer part work, or to change hardware settings, add a new piece of hardware, or to stop it from working completely and more.

Aside from this, Device Manager is usually the place where tech support tells their clients to go when dealing with problems with their PC’s. When you are infected by a Nhatquanglan virus, all your power to change the settings of the peripherals on your PC is gone. Now, when a modem does not work, you cannot check what is wrong with it - and you can’t connect to the internet either.

Nhatquanglan Virus and Task Manager

Aside from not letting you use your PC’s Device Manager, there are other ways that this virus can give you a hard day. When your PC is infected with a Nhatquanglan virus, and a program that you are using has crashed or hanged, you no longer have the power to “kill” the offending program because the Nhatquanglan will not let you use Task Manager - one of the useful tools included with your Windows installation.

Because you cannot use Windows Task Manager, you cannot lock your PC everytime you take a break - making it possible for everyone to look at what you are doing. There are other ways that a Nhatquanglan virus can give you a bad day and some of it, you might not want to know.

Let’s not talk about how annoying a Nhatquanglan virus is anymore - I think you already have an idea. If you want more, here is a list of annoyances it can give you - or you can just say goodbye to these problems by getting rid of a Nhatquanglan virus right now.

• It does not allow you to run Regedit to change Windows XP registry settings.
• It will not allow you to run the Command Prompt, where some of the more important Windows XP commands can only be used.
• It will not allow you to change File Type Extensions. Too bad, you can use this tweak to make Microsoft Excel 2007 start faster.
• You cannot change a folder to be hidden or not - you just cannot do that because it takes away the Folder Options.
• It can infect other PCs as well - annoying if you are on a network. It can also transfer itself to thumb drives (Ipods, Flash disks, etc).

Nhatquanglan Virus Files

There are files that you need to remove for you to get rid of a Nhatquanglan virus infection. And they are:

• blastclnnn.exe
• scvshosts.exe
• hinhem.scr
• New Folder.exe

Did you know that you can do a simple test to see if your PC is infected with a Nhatquanglan virus? And as you go along reading this article, you’ll find out for yourself.

For you to be protected, I believe that it is important that you know more about this virus - this will give you the necessary information you need in case you or your friend do get infected.

You have already discovered how a Nhatquanglan virus can annoy you. Now discover how this virus works…

How A Nhatquanglan Virus Ruins Your Day

The Nhatquanglan disguises itself as a folder inside the folder that it has infected. Too confusing? Let me put it this way: Suppose you have a folder named CLEAN. The virus will make copies of itself on the CLEAN folder using CLEAN as its name. Now, you have a program named CLEAN on the CLEAN folder.

Here’s a tip: To tell if it’s a program and not a real folder, hover your mouse over it and look at the tool tip that pops up.

If it’s a real folder, it must not show the word “File Version:” If it does, do not open or double click it!! That might be a Nhatquanglan virus!

Nhatquanglan Virus Removal Instructions

What I am about to reveal to you is how I got rid of a Nhatquanglan infection using only one free tool that you can download over the Internet.

This fix worked for me but yours may vary - use the guide I am about to give at your own risk. Or, avail of those software that scans your PC for viruses and have it scanned for you.

To start, you need to have a copy of ComboFix saved on your PC. ComboFix scans your drive for possible infections and tries to delete the three hidden files that the Nhatquanglan uses to make copies of itself. ComboFix is a free tool.

Avail of your copy and save it on your hard drive and remember where you saved it. For this guide, I am assuming that you have saved it on the C:\ drive.

Restart your PC in Safe Mode. You do this by pressing the F5 key when your pc starts. You need to use Safe Mode with Command Prompt. Don’t mind the list of files that Windows Xp loads as it starts.

Now, while at the Command Prompt, you need to use the ComboFix program by typing (without the quotes): “combofix”And hitting the Enter key.ComboFix will now do its job - scanning your PC for Nhatquanglan infections. Just follow what ComboFix says. After it finishes, the file which shows you what ComboFix had done will open up.

You may read it if you like, but most of them are jargons. Hopefully, Combofix has cleaned your PC of a Nhatquanglan virus infection - but to be sure you need to do some last minute cleaning.

I’ll reveal to you what you should do…

Go to the Command Prompt and do the following (without the quotes), hitting the Enter key after each command:

“cd \”

“del c:\windows\system32\scvshosts.exe”

“del c:\windows\system32\blastclnnn.exe”

“del c:\windows\hinhem.scr”

What you just did is deleted the three Nhatquanglan files. Take note of the spelling specially scvshosts.exe. This is different from svchost.exe which is an important Windows XP file!

You also need to remove a task that is scheduled by the Nhatquanglan virus. This virus adds one task to the Task Scheduler - so everytime you open up your PC, it executes this task, which is to make copies of itself. This is how it manages to appear again and again even if you managed to delete the three nhatquanglan files: scvshosts.exe, blastclnnn.exe and hinhem.scr. To remove the scheduled task, you need to take a peek at the lists. You do this by going to the Command Prompt and typing the following command (without the quotes):

“cd \”
“cd windows\tasks”
“del *.job”

Note: The last command above deletes everything in the Windows\Tasks folder. If you have tasks scheduled and you do not want them to be deleted, you need to manually check each one. A scheduled task that has scvshosts.exe as the program to be performed, needs to be deleted.

When all is ok, you may now restart your PC. Hopefully, you can now use the Task Manager, Device Manager, Folder Options and other commands in Windows XP. Remember the trick I told you about on how to see if there is a Nhatquanglan virus on your PC? I’ll reveal it to you now…

As a preventive measure, you might want to change how your files show when you explore them on your PC. Set them to Details.

That’s all there is to it. Now, when you glance at the folder name, also take a look at its Type column. If the picture of the folder is a folder but under the Type column it reads Application, you might want to reconsider opening it. It might be a virus… just waiting to pounce on you.

Tips On How to Prevent Future Virus Infections

After you have successfully removed a Nhatquanglan virus infection, it would be wise to take extra measures to prevent this virus from infecting your PC again. A simple change in surfing habits - such as looking out for suspicious sites, can dramatically decrease your chance of getting one of these viruses.

A Nhatquanglan virus can also spread itself via your thumb drive such as an Apple Ipod, etc. Speaking from experience, I would recommend that you install reliable software that monitors and protects your PC from viruses.

Your best bet would be an anti-virus and a firewall. The anti-virus is to help detect a virus as it moves, giving you the option to delete it or put it in a quarantine so it won’t infect other files.

A firewall blocks suspicious incoming connections to your PC - pretty much how a Nhatquanglan managed to infect your PC. Having a copy of an anti-spyware/malware can also help a lot.

How to remove tray icons from the system tray?

Goto regedit

by Start-> Run-> regedit

goto->HKEY_CURRENT_USER->Software->microsoft->Windows->Currentversion->Policies->explorer


create a new dword value as NoTrayItemsDisplay and set it to 1

W32/Mytob.gen@MMType Virus

W32/Mytob.gen@MMType Virus

W32/Mytob.gen@MM

Type

Virus

SubType

Email Generic

Discovery Date

03/02/2005

Length

Varies

Minimum DAT

4438 (03/02/2005)

Updated DAT

5249 (03/11/2008)

Minimum Engine

5.1.00

Description Added

03/02/2005

Description Modified

05/18/2005 12:08 PM (PT)

Type

Type of threat.

SubType

Additional type information.

Discovery Date

Date that AVERT discovered this threat.

Length

File size, in bytes, of the threat.

Minimum DAT

McAfee DAT files contain detection and repair information for threats. The Minimum DAT field specifies the lowest/oldest DAT version that is capable of detecting the first incarnation of a threat, and the release date. The highest/newest DAT version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Each description displays the minimum, fully tested, DAT version that includes regular detection for a particular threat. These fully tested DATs are released on a daily basis. If necessary, they are also released when a Medium, Medium On Watch, or High risk threat is discovered. An EXTRA.DAT will also be posted for these more prevalent threats, if necessary.

For each description listed, detection is always available. In the event that the DAT version specified is not yet available, an EXTRA.DAT file may be downloaded via the McAfee AVERT Extra.dat Request Page. Alternatively, minimally tested HOURLY BETA DAT files are available for downloading.

Updated DAT

McAfee DAT files are constantly being updated to enhance detection capabilities. The Updated DAT field specifies the released DAT version that contains the most up to date detection.

Minimum Engine

The scan engine uses the DAT files to detect threats. The Minimum Engine field specifies the lowest/oldest engine version that is capable of detecting this threat. The highest/newest engine version should always be used for the most complete protection and are available on the Anti-Virus Updates page.

Description Added

Date/time this description was published using Pacific Time.

Description Modified

Date/time this description was last modified using Pacific Time.

Risk Assessment

Corporate User

Low

Home User

Low

Tab Navigation

• Overview
• Characteristics
• Symptoms
• Method of Infection
• Removal
• Variants
• All Information

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob (AVP)
  

• W32.Mytob
  

• W32/Mytob
  

Characteristics

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

• 55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d)
• 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249)
• 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40)

These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body: (Varies, such as)

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm (many spaces) .pif

When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "LSA" = wfdmgr.exe

Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe
• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "LSA" = wfdmgr.exe

Symptoms

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

The mailing component harvests address from the local system. Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

The worm avoids certain address, those using the following strings:

• .gov
• .mil
• abuse
• acketst
• arin.
• avp
• berkeley
• borlan
• bsd
• example
• fido
• foo.
• fsf.
• gnu
• google
• gov.
• hotmail
• iana
• ibm.com
• icrosof
• ietf
• inpris
• isc.o
• isi.e
• kernel
• linux
• math
• mit.e
• mozilla
• msn.
• mydomai
• nodomai
• panda
• pgp
• rfc-ed
• ripe.
• ruslis
• secur
• sendmail
• sopho
• syma
• tanford.e
• unix
• usenet
• utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• john
• alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Net-Worm.Win32.Mytob (AVP)

• W32.Mytob

• W32/Mytob

Characteristics

Characteristics -

-- Update May 18, 2005 --
This is a generic detection for over 100 variants of Mytob. As the virus authors modify their source code and release new variants, some of them will be detected. However some variants are likely to be missed. As such the generic detection routines are likely to be modified regularly to provide more detection for these threats.

-- Update April 13, 2005 --
The Mytob author(s) have been very busy recently, releasing multiple variants a day. There are now some 96 different "versions" known to exists. Many of these are simply repackaged versions of the same binary, and most variants function in a similar fashion. The mailing routine remains much the same, while the bot functionality is evolving in-line with the Sdbot worm family. Newer variants include the FURootkit , contain an Instant Messenger worm component (detected as W32/Mytob.worm!im), and spread via LSASS and DCOM RPC vulnerabilities.

-- Update March 2 4, 2005 --
AVERT has received 3 new variants within an hour of this threat. The variants are use multiple forms of compression/encryption and detection will be added to the 4455 DAT files. Initial seeding of the files can be identified as follows, HOWEVER replicated samples can not be identified by file hash or size as the virus appends garbage to the end of the executable.

• 55,808 bytes (MD5: 3bd3dbd1bfe64ceaba2422f70ed6a69d)
• 54,272 bytes (MD5: a23865437b5ea46c123b880b9726a249)
• 58,808 bytes (MD5: 8817839e27e829f38c6f2041a7b92e40)

These new variants create a file named hellmsn.exe on the root of the C:\ drive (detected as W32/Generic.e with released DAT files).
--

This detection covers multiple variants of a mass-mailing worm that combines W32/Mydoom@MM functionality with W32/Sdbot.worm functionality. The following description serves as an example of some of the variants:

The virus arrives in an email message as follows:

From: (Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

• Error
• Status
• Server Report
• Mail Transaction Failed
• Mail Delivery System
• hello
• hi

Body: (Varies, such as)

• The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
• The message contains Unicode characters and has been sent as a binary attachment.
• Mail transaction failed. Partial message is available.

Attachment: (varies [.bat, .exe, .pif, .cmd, .scr] - often arrives in a ZIP archive)

• examples (common names, but can be random)
• doc.bat
• document.zip
• message.zip
• readme.zip
• text.pif
• hello.cmd
• body.scr
• test.htm.pif
• data.txt.exe
• file.scr

In the case of two file extensions, multiple spaces may be inserted as well, for example:

• document.htm (many spaces) .pif

When the attachment is run, the virus copies itself to the WINDOWS SYSTEM directory (typically c:\windows\system32) as wfdmgr.exe . Registry keys are created to load this file at startup:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
  CurrentVersion\Run "LSA" = wfdmgr.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "LSA" = wfdmgr.exe

Additional keys/values are created, which are typically associated with W32/Sdbot.worm:

• HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa "LSA" = wfdmgr.exe
• HKEY_CURRENT_USER\Software\Microsoft\OLE
  "LSA" = wfdmgr.exe

Symptoms

Symptoms -

The Sdbot functionality in the worm is designed to contact the IRC server named, irc.blackcarder.net , join a specified channel, and wait for further instructions. This bot can accept commands to download and execute other programs. The bot also contains code to spread via the LSASS exploit [ http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx ]

Method of Infection

Method of Infection -

The mailing component harvests address from the local system. Files with the following extensions are targeted:

• wab
• adb
• tbb
• dbx
• asp
• php
• sht
• htm
• txt
• pl

The worm avoids certain address, those using the following strings:

• .gov
• .mil
• abuse
• acketst
• arin.
• avp
• berkeley
• borlan
• bsd
• example
• fido
• foo.
• fsf.
• gnu
• google
• gov.
• hotmail
• iana
• ibm.com
• icrosof
• ietf
• inpris
• isc.o
• isi.e
• kernel
• linux
• math
• mit.e
• mozilla
• msn.
• mydomai
• nodomai
• panda
• pgp
• rfc-ed
• ripe.
• ruslis
• secur
• sendmail
• sopho
• syma
• tanford.e
• unix
• usenet
• utgers.ed

Additionally, the worm contains strings, which it uses to randomly generate, or guess, email addresses. These are prepended as user names to harvested domain names:

• sandra
• linda
• julie
• jimmy
• jerry
• helen
• debby
• claudia
• brenda
• anna
• alice
• brent
• adam
• ted
• fred
• jack
• bill
• stan
• smith
• steve
• matt
• dave
• dan
• joe
• jane
• bob
• robert
• peter
• tom
• ray
• mary
• serg
• brian
• jim
• maria
• leo
• jose
• andrew
• sam
• george
• david
• kevin
• mike
• james
• michael
• john
• alex

Finally the virus sends itself via SMTP - constructing messages using its own SMTP engine. The worm guesses the recipient email server, prepending the target domain name with the following strings:

• mx.
• mail.
• smtp.
• mx1.
• mxs.
• mail1.
• relay.
• ns.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

You may be a victim of software counterfeiting.

Microsoft has finally activated the most aggressive part of their Windows Genuine Advantage program -- active notifications.

After downloading the latest Windows updates, if your Windows cd-key doesn't validate against Microsoft's online database of cd-keys, you may be greeted with this unpleasant five-second mandatory delay dialog at the login page:

On top of that, you get a repeating balloon notification that nags you periodically while you use the operating system:

The warnings also get more dire as time progresses:

This copy of Windows is not genuine and you have not resolved the issue. This computer is no longer eligible to receive select security upgrades from Microsoft. To protect your computer, you must click Get Genuine now.

The language here is a little misleading. Microsoft is socially obligated to provide critical security updates to pirated machines. Otherwise those vulnerable machines will eventually be compromised and potentially used in denial of service attacks and other nefarious schemes. Microsoft does provide so-called "critical" updates to all Windows machines, regardless of whether or not they're genuine.

This is all courtesy of the mandatory "Windows Genuine Advantage Notification" service that is being delivered now through Windows Update. This isn't just a service you can disable, or a process you can kill in task manager, either. You'll have to install some kind of questionable third-party hack to get around it.

I suppose it's only malware if you're a pirate. What's a poor, beleaguered user to do? Microsoft offers five options:

1. Purchase a valid Windows XP cd-key online from Microsoft.
2. If you can produce high-quality counterfeit media, along with a proof of purchase, you can get a free replacement key from Microsoft.
3. Contact your reseller for redress.
4. Purchase Windows XP from a local OEM reseller.
5. Purchase Windows XP at a retail location.

Notice the word "Purchase" appears in three of those five options. There's almost no way to finagle a free cd-key out of this.

Recover from a Corrupted Registry in Windows XP

When Will This Recovery Work?You'll want to use the steps on this page to recover from a corrupted registry when you have already tried other options such as System Restore and you receive a message similar to one of the following when you try to boot your computer with Windows XP.*
Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SYSTEM* Windows XP could not start because the following file is missing or corrupt: \WINDOWS\SYSTEM32\CONFIG\SOFTWARE* Stop: c0000218 {Registry File Failure}
The registry cannot load the hive (file): \SystemRoot\System32\Config\SOFTWARE or its log or alternate * System error: Lsass.exeWhen trying to update a password the return status indicates that the value provided as the current password is not correct.
Be careful using this procedure in other circumstances or with an OEM version of Windows XP since OEM installations create passwords and user accounts that did not exist previously and may cause you not to be able to log into the Recovery Console to restore files. Booting into the Recovery ConsoleYou'll need to use the Windows XP Recovery Console to fix a corrupted registry, this will either require you to boot from a Windows XP Installation CD or boot directly to the Recovery Console if its installed. Follow these steps to boot into the Recovery Console from a Windows XP Installation CD.
1) Place your Windows XP in the CD-ROM Drive
2) Restart your computer and make sure your BIOS is set to boot from CD
3) When you see the following command press the space bar."press any key to boot from cd...
"4) Wait until you see the "Welcome to Setup" screen, and press R to start the Recovery Console
5) Choose which Windows installation you wish to load (this is usually #1 unless you have a multi-boot system)
6) Type the administrator password and Press Enter
7) You should now be at the C:\Windows> promptCopy Repair Files Using the Recovery ConsoleThis procedure assumes Windows is installed on Drive C, if you have installed Windows on another drive, please substitute the appropriate drive letter in the procedure below.At the Recovery Console command prompt, type the following lines, pressing ENTER after you type each line:md tmpcopy c:\windows\system32\config\system c:\windows\tmp\system.bakcopy c:\windows\system32\config\software c:\windows\tmp\software.bakcopy c:\windows\system32\config\sam c:\windows\tmp\sam.bakcopy c:\windows\system32\config\security c:\windows\tmp\security.bakcopy c:\windows\system32\config\default c:\windows\tmp\default.bakdelete c:\windows\system32\config\systemdelete c:\windows\system32\config\softwaredelete c:\windows\system32\config\samdelete c:\windows\system32\config\securitydelete c:\windows\system32\config\defaultcopy c:\windows\repair\system c:\windows\system32\config\systemcopy c:\windows\repair\software c:\windows\system32\config\softwarecopy c:\windows\repair\sam c:\windows\system32\config\samcopy c:\windows\repair\security c:\windows\system32\config\securitycopy c:\windows\repair\default c:\windows\system32\config\defaultType exit to quit Recovery Console.
Your computer will restart, press F8 as it starts and choose Safe Mode.Restart in Safe Mode and Find a Recent Snapshot BackupRestart your computer in Safe Mode by pressing F8 during the initial bootup and choosing Safe Mode.
Once in Safe Mode, you need to make sure the files and folders are visible so you can access them.
Follow these instructions to accomplish this.
1. Open My Computer
2. Click on the Tools menu, then click Folder Options.
3. Click the View tab.
4. Under Hidden files and folders, click to select Show hidden files and folders, and then click to clear the Hide protected operating system files (Recommended) check box.
5. Click Yes when the dialog box that confirms that you want to display these files appears.In My Computer, Double-click the drive where you installed Windows XP (usually Drive C) to display a list of the folders. then double-click on the "System Volume Information" folder. This folder contains the system restore points stored on your computer. The folders will look similar to_restore{EE42BEB8-700A-495F-8004-53D26C2E12C5}You might receive an access denied error message similar to the following when trying to access the System Volume Information folder.C:\System Volume Information is not accessible. Access is denied.This is generally caused because the user you are logged in under does not have permissions set on the folder.
To fix this, follow the instructions in the Microsoft Knowledge Base article 309531 to gain access and continue.
Each version of Windows XP is different on how to change these permissions.Once you have access to the snapshots, use the instructions below to copy one of the latest snapshots to the Windows\TMP directory so you have access to it.
1) In the System Volume Information Folder, click on View, and then click Details to display the date of each snapshot folder.
2) Double-click on a folder that was not created at the current time but rather before the problem started.
3) Double-click on the Snapshot subfolder
4) Using your normal windows copy and paste techniques, highlight the following files and copy them into the C:\Windows\TMP folder* _REGISTRY_USER_.DEFAULT* _REGISTRY_MACHINE_SECURITY * _REGISTRY_MACHINE_SOFTWARE * _REGISTRY_MACHINE_SYSTEM * _REGISTRY_MACHINE_SAM
5) Rename the files that you just copied into the C:\Windows\TMP folder by right-clicking on each filename and choosing Rename, then typing the new name. Repeat this for each file in the list below.
* Rename _REGISTRY_USER_.DEFAULT to DEFAULT* Rename _REGISTRY_MACHINE_SECURITY to SECURITY * Rename _REGISTRY_MACHINE_SOFTWARE to SOFTWARE * Rename _REGISTRY_MACHINE_SYSTEM to SYSTEM * Rename _REGISTRY_MACHINE_SAM to SAM
6) Once you have renamed the files, restart your computer again with the Recovery Console (refer to the instructions above to do this)Replace the Repair Files with a Current Backup of the RegistryAfter rebooting the computer and starting the Recovery Console again, type the following commands at the prompt to replace the files with a current backup. You'll need to press Enter after each command.del c:\windows\system32\config\samdel c:\windows\system32\config\securitydel c:\windows\system32\config\softwaredel c:\windows\system32\config\defaultdel c:\windows\system32\config\systemcopy c:\windows\tmp\software c:\windows\system32\config\softwarecopy c:\windows\tmp\system c:\windows\system32\config\systemcopy c:\windows\tmp\sam c:\windows\system32\config\samcopy c:\windows\tmp\security c:\windows\system32\config\securitycopy c:\windows\tmp\default c:\windows\system32\config\defaultAfter the files have been replaced, type EXIT at the command prompt to restart Windows in normal mode.
Use System Restore to Return to a Good Backup PointBecause there is more to a System Restore than just the registry files, follow these steps to restore your computer to a good backup point.
1. Click Start, and then click All Programs.
2. Click Accessories, and then click System Tools.
3. Click System Restore, and then click Restore to a previous Restore Point and finish the restore.