This post is going to be somewhat of a “link dump” for me of some pages that I’ve been perusing lately. After playing with RT (request tracker) – I added a few ticket items for the home network. Now, if you’ve been a longtime reader and sorted through ALL of these posts here you’ll know that I’ve made use of software raid on the home systems. Why? Linux software raid seems fairly reliable (so far – 2 years +). It doesn’t depend on a specific piece of hardware. In short IF the worst happens and the array fails I should be able to retrieve data from an individual drive more easily than if it were hardware raid. I’m using Raid Level 1 (cloning/mirroring) and ext3 is the filesystem on top. I’ve had some slight problems with one drive in both the Desktop and server arrays and both arrays had been degraded for some time. My goal was ultimately redundancy and to eliminate the disruption that hard drive failures have given over the last few years.

When push comes to shove I’m cheap and hadn’t looked at replacing the drives yet. (Potentially a problem especially since I was down to 1 drive for 2 out of 3 arrays.) So, I was running a risk for several months. The main reasons I’ve procrastinated is 1) I’m cheap and 2) I’m busy. The other reason though is the two arrays were made of 400gb sata drives which are now hard to find. 500 gb is the new standard size. Now, I don’t want to waste space so… it’s been a bit of a mental puzzle thinking about replacing one, growing the partition size and then replacing the other to pass along to the second system.

So….. long story short. I was able to re-add the drives to their respective arrays after researching the best way to grow a mirrored array onto larger devices. Why? When the arrays degraded they did so for pending sector reads. I’ve tested the drives via smart and they seem okay. So, I tried re-adding and so far all seems good.

Anyway, here’s the link dump:

Good reminder – http://www.freddenny.com/UNIX/linuxRAID.html – making raid volumes bootable when moved.

Resizing a raid 1 system partition – http://mkfblog.blogspot.com/2007/11/resizing-raid1-system-partition.html

Looks like gparted supports software raid now – http://gparted.sourceforge.net/news.php

Just some notes for a reminder.

RAID is not a substitute for backups. If you accidentally delete a file, it’s still GONE. If you have corruption on one drive (or via the bus) your data is still GONE. Schedule backups of important data.

In sum – replacing drives in a software raid array is quite simple – especially if they’re the same size. Moving to larger drives and not wasting space is a bit more complicated and is a bridge I’ll have to cross at some point.

As a side note, I discovered that I had two more drives of equal size (2 160GB drives) in one system that I had originally intended to mirror those as well, but they needed data cleanup. I spent some time cleaning up the data on one then deleted it’s partitions – created a new partition of the linux auto raid type and create a new raid device with that drive and a missing drive. After that, I created the ext3 filesystem and moved the files over from the other drive. Then I blew away the partition on the 2nd drive and re-partitioned that to be a linux auto raid partition. Then I added it to the array and all synced well.

So, now – all of my 24/7 uptime drives are mirrored and I’ve got some research notes for how to move things around to larger drives when the time comes. I still should add a to-do item to check and see how many more sata drives I could squeeze into my desktop or server – it might be nice to have a hot spare.

If you didn’t know, this has been a tumultuous week for clients of Westhost, my internet service provider. Their Primary data center is located in Utah and they share that space with a sister brand VPS.net. The datacenter is a Tier IV center managed by Consonus. Saturday afternoon there was a yearly fire equipment/alarm/suppression system test. The third party technician failed to follow procedures and one actuator remained on the output system for the gas that is designed to suppress fires in the building. When the system was re-armed there was a sudden release of the gaseous fire suppressant. At that same moment hundreds of hard drives died. Now, Inergen is what was used and the gases themselves shouldn’t be a problem. In this case, and judging from what I’ve read, the problem was with the sudden and intense change in air pressure caused by the release. That point is somewhat moot though, the end result is hundreds of dead and damaged hard drives.

Now, I have an account with VPS.net as well as westhost and have a VPS in the Utah datacenter with vps.net as well as several (12 or so) vps’s with westhost. They use Sphera as their Virtual machine platform, while vps.net is a xen based platform. One of the advantages that VPS.net had is their architecture is cloud based and another advantage from what I can see is that they have a smaller hardware footprint at the DC than Westhost. VPS first reported some sort of potential power issue at the DC early on, before finally getting the details that power was not the issue, fire suppressant was. Fortunately for them they were able to get enough drives replaced to be operational by Saturday night/Sunday morning and then back to 100% not long afterwards.

Westhost has not been nearly so fortnate. The first reports out of Westhost were that Sphera was acting up. A statement that was raked over the coals by many in hindsight as a lie. In all fairness, if you look at your network status monitor and see EVERYTHING going don – wouldn’t you wonder if your platform itself wasn’t the issue(?) I would. Information was slow coming out of Westhost, I think in part due to the size and scale of the damage. I have been lucky and only have seen sporadic downtimes, maybe a day at the most on Saturday. Some systems have not been so lucky and are still offline.

Among the issues have been multiple drives in the RAID arrays on individual machines have been hit. In some cases that would require restoring from backups. Well, the servers that host the backups were hit too. (Backups in the same building – a traditional IT no-no, but realistically in many hosting situations that is par for the course.) In the case of one group of servers they have now brought in data recovery experts to recover drives to restore from.

In all fairness, I think they’ve had a monumental repair job and have been handling it quite well. I would have appreciated more information up front, but being a self employed tech I know that talking doesn’t solve problems with hardware and can understand why it took so long to start getting the facts of the story as to what happened and passing them along.

The whole event though has had me thinking seriously about webhosting and the way we treat our data in the cloud. We assume that if our webhost does backups then we shouldn’t worry about making backups. But what if a comet hits their datacenter?

For many people a week of outage may not phase you. Maybe you just have a hobby site, or “it’s just a brochure” or “most of our leads come from local referrals anyway”. But, for many they may make hundreds or thousands a day from their site (or 10s of thousands). What then? First off. If your sites are making that much for you, does it make sense to be using cheap hosting? I think it’s a serious question to ask. I’m not saying that cheap is unreliable mind you, but with cheaper hosting you have fewer frills (backups not stored offsite for instance, single datacenter perhaps). There are services out there that are more expensive but can better assure uptime. There are services where you could have your site mirrored across several data centers and load balanced to whichever ones are the current most responsive.

I guess one of the things that I’ve considered is….. if your site is THAT important to you here’s what you should do.

1) look at and consider load balanced hosting with multiple datacenters.

2) Have a registrar for your domain name that is different from your hosting company. Why? The registrar is where you can set dns server information. If your hosting company is down you won’t be able to manage switching dns to another location.

3) Have a copy of your dns settings available offsite so that you can reconstruct the DNS if necessary elsewhere. This is especially useful for hosted google docs/gmail setups.

4) Have an offsite backup of all your essential configuration files (mail accounts and passwords for instance or mail aliases.) Virtual server settings for apache perhaps.

5) Have an offsite backup for any databases you use. You can script these to be automatically made and sent to an offsite location fairly easily, or pay someone to do so.

6) Have an offsite backup for any install files, html files or other tools that you make use of on your site.

Most sites are going to find this kind of contingency planning fairly easy. It’s only hard WHEN YOUR HOST IS DOWN and you don’t have an offsite copy. Some would say, well the hosting company should do this for me. The only thought I have to that statement is you should then not have a problem with your site being down. Take responsibility for the planning and you won’t regret it.

Now, I don’t mean to suggest that everyone should abandon your hosting the minute there is an outage. In fact, I see many moves like this as a temporary “bug out” until things settle down with your main provider. Actually as a VAR myself I’m thinking this is a service that I should be offering my hosting clients so that they don’t have to deal with the mess of moving firsthand.

So…. what do I mean by offsite? Well, you could of course, load all of the backups onto a server or desktop in your office or business. That’s a possibility, but you could also make use of various online storage possibilities like jungledisk or direct to Amazons S3 storage. You may want to just take advantage of a spare slicehost, vps.net or linode server as your backup server. My main preference would be to at least host it in a different datacenter from your primary vps or other hosting and potentially set it up with a different company. At the very least you should also research your backup plan hosting options from other providers in case yours is decimated by such an outage.

In respect to Westhost, I’m impressed with their work at this point, they’ve been one of the most responsive companies I’ve ever dealt with and they will get through this. Yes, some customers may go elsewhere and likely already have. That happens. With proper planning though a temporary site can be up quickly and easily elsewhere while the dust settles and then if you like you can transition back to your previous hosting, or keep it as a spare in case your NEW location has a meltdown.

It would probably pay well to make your contingency planning for all of your sites today!

This afternoon I received an email that said the following…

Welcome to Midwave Products LLC!

Congratulations Avery,

This e-mail is to confirm your recent/successful WaveEGreetings.com
order! Log in online and get instant access to hundreds of E-Greeting
Cards!

Billing Telephone Number: **********

As part of your service with the WaveEGreetings.com program, you will
receive:
Unlimited access to ecards for every occasion!
Send greetings to your friends and family.
Create unique and personalized greetings.

Your WaveEGreetings.com account can be accessed by going to
www.waveEgreetings.com/login.asp and entering in your username and
password below;
username: ****************
password: *************

For your convenience you will be billed a monthly fee of $14.95 on your
local phone bill for the phone number you provided which is **********.
Although, there is no affiliation with your local phone company, these
charges will appear on your local telephone bill on the Transaction
Clearing bill page as being billed on behalf of Midwave Products, LLC.
There is no long term contract and the service can be cancelled at any
time.

If you have questions or concerns and need to contact customer service
just simply reply to this e-mail and we will be happy to assist you.

You can cancel the service by calling 866-982-3699or by emailing us at
support@waveEgreetings.com and include your home telephone number or
simply reply to this email stating “cancel”. Or write us at PO Box 17598
Suite# 77145, Baltimore, Maryland 21297-1598.

Thank you and Congratulations on joining WaveEGreetings.com

Sincerely,
WaveEGreetings.com Customer Support
—————————————-

AT&T ENDUSERS:You have the right to dispute the Midwave Products LLC
charges billed on your local telephone bill. You are not legally
responsible for Midwave Products LLC charges incurred by minors or
vulnerable adults without your consent. Your local telephone service
will not be disconnected because you fail to pay a charge by Midwave
Products LLC except that nonpayment of certain regulated
telecommunication charges may result in disconnection of service in
Alabama, Florida, Georgia, Kentucky, Louisiana, South Carolina and
Tennessee. Enhanced Telecommunications Service Providers may employ
other agencies to collect delinquent charge, even if your local phone
company has previously adjusted them from your telephone bill.

My first thought was that this was a phishing email and I checked out the links in the message and the site of waveEgreetings.com because….

To be honest I’m not that hot on FREE ecards really – much less a $14.95 per month subscription (!$!$!$???) It all seemed legit and so I sent a message to the support@ email mentioned in the message I got to cancel immediately and make sure that no charges ever appeared for this on my phone bill.

And…

—– The following addresses had permanent fatal errors —–

(reason: 550 #5.1.0 Address rejected support@waveEgreetings.com)

—– Transcript of session follows —–
… while talking to smtp.secureserver.net.:
>>> RCPT To:
<<< 550 #5.1.0 Address rejected support@waveEgreetings.com
550 5.1.1 … User unknown

So…. I tried replying to the message as instructed as our second option to cancel….

—– The following addresses had permanent fatal errors —–

(reason: 550 #5.1.0 Address rejected membership@waveEgreetings.com)

—– Transcript of session follows —–
… while talking to smtp.secureserver.net.:
>>> RCPT To:
<<< 550 #5.1.0 Address rejected membership@waveEgreetings.com
550 5.1.1 … User unknown

By now I was fairly primed for a phone call and called the number listed in the email. I looked on their website to try to verify that this really is the number of Midwave Products LLC – but their site does not have contact information and I was NOT about to login to an account I didn’t want in the first place to see if they posted a phone number inside the gates. –CORRECTION– I do see that they do have their phone # on their main webpage – it’s in the VERY small print after the box to check for agreeing to the terms and conditions….etc.

So, I called and about 5 minutes after my call I was told that I was the next caller in line and my call would be handled by the next available representative. There was a pause in the music and then a click and a fast busy. I was hung up on!

So, I called back and was connected fairly quickly to a representative who asked for a confirmation of phone number and address. It was canceled in short order.

First off, I really DON’T LIKE to see services “conveniently bill to your telephone bill.” I have seen lots of companies do this and they most all have been scams. One company I know had a sudden charge on their bill for webhosting from God only knows where. I DID THEIR webhosting. Our best guess was that somebody called up and asked some questions and they suddenly had a $100 a month charge added to their phone bill. They canceled in short order and the phone representative I spoke with said that they had a lot of complaints from that particular group. I remember going through similar problems with long distance slammers at one point as well. I seem to recall even one more “service” that we found a charge for on our bill that was not something we authorized.

I suspect that many businesses and individuals either don’t look closely at their phone bills and just pay it or…. are big enough that the person paying the bill is not the one authorizing charges on it and they don’t ask any questions.

I thank the representative at waveegreetings.com for the quick and easy cancellation. However, I will be watching carefully to make sure that there are no charges for this.

So…. this leaves me with a few questions.

1) WHO would pay $15 each month to be able to send electronic greeting cards !!!!!

2) Are there people that get a commission for signing up new leads for wavegreetings.com (my bet is the answer is yes…)

3) Have you ever had a strange charge on your phone bill?

4) Has anyone else had a similar experience with WaveEgreetings.com?

A recent malware removal session gave a very frustrating error in trying to boot into safe mode. I was unable to boot into safe mode, safe mode with networking or even safe mode with the command prompt. The Stop Error was a Stop 0×0000007B Error. The instructions on the screen talk about running chkdsk on the drive (which I did.) There were a few things found and corrected, but the problem was still there. On investigation I went into the registry editor (regedit) and found that the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot registry key had been emasculated. There were two subkeys for minimal and network profiles…. So… I found a way to rebuild them.

Didier Stevens has spent a lot of time on this and has developed a registry patch file. There are patches for Xp sp2 and sp3 as well as 2003 server and Windows 2000 SP4 in his download zip.

There is an https and an http download link for safeboot. The registry patches worked and allowed safe mode to work. I did further scans on the system and ultimately all is clean.

Live Enterprise Suite is yet another rogue security application. This is a successor to the frustrating Internet Antivirus Pro and Ghost Antivirus rogues. Like many of these security rogues they are pushed through malware and aggressive advertising. This may be a website that when visited a screen pops up that appears to be doing a scan on your computer. However, everyone sees the same video when they visit the site, so you may see the same message whether you’re browsing with windows, apple mac or linux. Unfortunately, this trick is effective and many will click on the link they provide which installs the software on the local machine. Read on for how to remove live enterprise suite.

Among the other usual nuisances of these pests, this one also installs the TDL3 rootkit and disables task manager. It also deactivates security software that it is able to find and get rid of. This can be a very challenging infection to clean up and you may need to resort to a livecd and deleting some of the files to regain control over the system. You may use either the recovery console or a bartpe/ultimate boot cd disk or even a linux boot disk to remove the files.

There are a number of other things you may try to remove this rogue. First you may want to visit the control panel and add/remove programs and attempt to uninstall live enterprise suite. It probably won’t work, but is worth a try. If it DOES work, then you should scan your system with a malware removal tool such as superantispyware or malwarebytes antimalware (or both) and a reputable antivirus before considering it clean.

To remove live enterprise suite you will want to use an automated tool if at all possible such as superantispywares portable scanner or malwarebytes antimalware (both can be found on the virus removal tools page.) The portable scanner from superantispyware is easier and has some advantages. 1) it is randomly named each download so, is not likely to be noticed and terminated by the rogue. 2) It is updated daily, so you don’t need to check for updates if you’ve downloaded the portable scanner fresh today. That much said, you may not be able to download anything on the affected machine, so make use of a usb flash drive for this and a clean computer.

If you have trouble running either superantispyware’s portable scanner or the malwarebytes antimalware installer you may try the following and then re-attempt to run your chosen cleaner. 1) rename the program to something that will be more likely allowed to run (explorer.exe iexplore.exe firefox.exe are good candidates.) 2) reboot into safe mode with networking and try running again. Malwarebytes will need safe mode with networking to perform an update to make certain that you have the latest definition updates.

Remove anything that is found and scan again. I usually keep scanning and alternate malware removal/antivirus tools until the system is clean. If you have trouble logging in to windows after cleaning, then read this for suggestions on what to do.

The files associated with live enterprise suite are listed below. You will need to delete this files if you have to do a manual removal of live enterprise suite. You may make use of the recovery console or a windows live cd such as bartpe, ultimate bootcd or a linux boot cd to be able to remove the files listed. Unfortunately some of the files are randomly named and so will be different from one install to another. For this reason, you need to be careful in determining which files to delete. Use the locations seen here, the files you see on your system and your best judgment to decide. (When in doubt make a folder to quarantine to and MOVE the files there.)

%user%\Application Data\Live Enterprise Suite
%user%\Application Data\Live Enterprise Suite\settings.ini
%user%\Application Data\Live Enterprise Suite\uill.ini
%user%\Application Data\Live Enterprise Suite\unins000.exe
%user%\Application Data\Live Enterprise Suite\updateloadlist.ini
%user%\Application Data\Live Enterprise Suite\db
%user%\Application Data\Live Enterprise Suite\db\config.cfg
%user%\Application Data\Live Enterprise Suite\db\Timeout.inf
%user%\Application Data\Live Enterprise Suite\db\Urls.inf
%user%\Application Data\Microsoft\Windows\winlogon.exe
%user%\Local Settings\Application Data\Microsoft\Windows\log.txt
%user%\Local Settings\Application Data\Microsoft\Windows\pguard.ini
%user%\Local Settings\Application Data\Microsoft\Windows\services.exe
%user%\My Documents\My Pictures\atbyin.exe
%progfiles%\Common Files\RANDOMchar.exe
%progfiles%\Common Files\RANDOMcalc.exe
%progfiles%\Live Enterprise Suite
%progfiles%\Live Enterprise Suite\activate.ico
%progfiles%\Live Enterprise Suite\Explorer.ico
%progfiles%\Live Enterprise Suite\Live Enterprise Suite.exe
%progfiles%\Live Enterprise Suite\unins000.dat
%progfiles%\Live Enterprise Suite\uninstall.ico
%progfiles%\Live Enterprise Suite\working.log
%win%\system32\RANDOM.dll
%win%\system32\RANDOM.dll

I’m still working to confirm/complete the list of files above. Even after a full manual removal of live enterprise suite you should follow up with scans using a trusted malware removal tool such as superantispyware or malwarebytes antimalware. Also, scan with a reputable antivirus application. Reputable doesn’t have to mean a paid antivirus, free is okay, an online scanner can be all right, just make sure that it is a more trusted name such as AVG/avira/trendmicro/norton/mcafee/etc.

This article may come in handy if you are out there battling the latest rogue du jour. Occasionally I have been through a cleaning process for these rogues and got to a point where the scanner had run and cleaned things out (whether it was malwarebytes antimalware or superantispyware.) It was time to reboot and the system reboots, starts to load the desktop wallpaper and then…. You see the windows login screen and the words “saving settings” under the username followed by the words “logging out”. You may try again, but it doesn’t even load the desktop icons it just boots you back out to the login screen. If you try safe mode you may get the same behavior (it was in my case), administrator or the typical system user didn’t seem to make a difference. I couldn’t even get to safe mode with the command prompt. No choice but to reinstall right? Wrong….

For this you will need to get access to the registry. Obviously given that this system is problematic we have limited options. If you have been able to access the registry remotely over the network that may work for you, but in my case I have an Ultimate boot CD which includes a Windows live cd environment. One catch with windows live boot cds though is that they need to be made from a working windows system. So, if you don’t already have one in your toolkit, you will need to scrounge your way to a working windows xp system with your windows disk, internet connection and then get your boot cd setup.

You may be able to use a linux boot cd to edit the registry (using wine perhaps as this article suggests.) Although that’s a path I haven’t gone down before… Other than that though I don’t know another way to edit the registry from linux.

Here’s what you will need to check in the registry.

HKeyLocalMachine\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

You are looking for the userinit value which should be c:\windows\system32\userinit.exe and shell should be explorer.exe

In my case userinit was set to c:\windows\system32\winlogon32.exe or some such nonsense. Fixing this restored the ability to login.

However, if it appears set correctly it may be that your copy of userinit.exe is corrupted and you may need to extract it from the windows install disk in recovery console mode…

expand d:\i386\userinit.ex_ c:\windows\system32\userinit.exe

So, if you’re stuck in a windows login logout loop that you just cannot login to windows it automatically logs you back out before you see the desktop the above may solve the problem for you.

APCSafe is another of the recent variations on the Wini family of rogue antivirus applications. Like all the others it is pushed by trojan activity… this is typically a video site that claims to have a sought after video, but alas…. the video cannot be viewed unless you install a flashplayer update that they have on the site, or a video codec. These of course, aren’t really what they are, they are the payload of this rogue antivirus. Once it is installed it will run at boot, scan files and complain of many viruses on your system as well as security problems with your computer. None of these can be fixed without paying for the software, so it claims. This is a scam, so please read on for how to remove apcsafe.

Among the easiest ways to get rid of any software that you don’t work is to go to the control panel and use the add/remove programs applet to uninstall apcsafe or whichever other software you are trying to get rid of. This may not work for rogue antivirus software because typically these programs don’t want to be uninstalled. If it does work for some reason, then you should still follow it up with a scan from a reputable malware removal tool and then a reputable antivirus application.

Your next best option for removing a pest such as apcsafe is to use a tool such as the portable scanner from superantispyware. There is a link on my virus removal toolkit page. It is updated daily and so you shouldn’t need to update it once it downloads. It will use a random filename each time it is downloaded so you should take care to make a note of the filename as it downloads so you can find it when the download is completed. If for some reason it doesn’t run when it’s downloaded you may try the following tricks to run it. 1) rename it to either explorer.exe iexplore.exe or firefox.exe and then retry running it. 2) reboot into safe mode and retry running it. When it does run, remove all the infections found and then run it again, and again until things come clear.

If you wish to perform a manual removal of apcsafe you will need to refer to the list of filenames below of those files associated with apcsafe.

%user%\Local Settings\temp\00002e99
%docs%\All Users\Desktop\APcSafe.lnk
%docs%\All Users\Start Menu\Programs\APcSafe\1 APcSafe.lnk
%docs%\All Users\Start Menu\Programs\APcSafe\2 Homepage.lnk
%docs%\All Users\Start Menu\Programs\APcSafe\3 Uninstall.lnk
%progfiles%\APcSafe Software\APcSafe\APcSafe.exe
%progfiles%\APcSafe Software\APcSafe\uninstall.exe
%win%\system32\RANDOM.exe
%win%\system32\spool\prtprocs\w32×86\00003e8f.tmp

After you have removed the files above or using a tool such as superantispyware then you should follow up with further malware removal scans and antivirus applications. I typically will scan until things come clean. You should make sure that you use only reputable products for these scans. Free is okay, an online scanner is okay, just make sure they have a good reputation.

If you are administrator of a computer network you may wish to block traffic to apcsafe.com

PCSecure is a recent rogue antivirus from the notorious and prolific wini family of rogue security software. It is typically promoted via trojan downloaders. Usually these will be on a website with a video that may be highly sought after. In order to see the video though you are told that you need to download a codec update or flash player update. This is where you get the infection that starts the nightmare of popups complaining of viruses on your system and multiple security problems on your pc. The real kicker is that they claim that the problems cannot be fixed unless you purchase their software. This is a scam and should be avoided. Read on for how to remove PCSecure.

This and other recent versions of the wini rogues may also bundle a rootkit that has been called the TDL3 rootkit. You may need further cleanup on this machine than the relatively simple rogue security software removal. Among the warnings you may see on your system will be the following:

German Alert:
Spzprogramm Warnzeichen!
Ihr Computer ist mit Spionprogramm infektioniert. Das kann Ihren Dateien und die im Internet zugänglich machen. Klicken bitte hier, um Ihre Kopie von PcsSecure zu registrieren und Ihr PC von Spyprogramm frei zu machen.

English Alert:
Spyware Alert!
Your computer is infected with spyware. It could damage your critical files or expose your private data on the Internet. Click here to register your copy of PcsSecure and remove spyware threats from your PC.

French Alert:
Spyware Alerte!
Votre ordinateur est infecté de spyware. Il pourrait endommager vos fichiers critiques ou exposer vos données prives sur ‘Internet. Cliquez ici pour enregistrer votre copie de PcsSecure et enléver des menaces spyware de votre OP.

Italian Alert:
Spyware miniaccia!
Il suo computer è infetto di spyware. Puo dannegiare i suoi files criticali rivelare i suoi dati personali nell’Internet. Clicca qui per registrare la sua coppia di PcsSecure e rimouvere le minacce di spyware dal suo computer.

The first and easiest way to attempt removal of pcsecure or other rogues may or may not work. This is going to the control panel and the add/remove programs area and then uninstall pcsecure. As I said, this may work, but it may not. Even if it does, you should follow this with a scan of your computer using a malware removal tool that is reputable such as superantispyware or malwarebytes antimalware. You also should scan the system with a reputable antivirus such as AVG/Avira/Trendmicros online housecall, etc.

If you were unable to remove this pest by using the control panel, I think the next easiest way should be the portable scanner from superantispyware. You can find a link to it on my virus removal toolkit page. Basically, it is rebuilt each day so you shouldn’t have to worry about updating it before scanning and it is given a random name each time it is downloaded so the rogues shouldn’t be able to kill it off thinking it is security software. That much said, if you have a hard time running your download of the portable scanner you may try the following: 1) rename the download to something like explorer.exe or iexplore.exe or firefox.exe – these are usually process names that the rogues will leave alone (especially explorer.exe). 2) reboot into safe mode and attempt torun the scanner there. Make sure to note the filename when you download since it is almost always a different filename.

If you would like to try to attempt a manual removal of pcsecure then you will need to know the filenames listed below.

%docs%\All Users\Desktop\PcsSecure.lnk
%docs%\All Users\Start Menu\Programs\PcsSecure
%docs%\All Users\Start Menu\Programs\PcsSecure\1 PcsSecure.lnk
%docs%\All Users\Start Menu\Programs\PcsSecure\2 Homepage.lnk
%docs%\All Users\Start Menu\Programs\PcsSecure\3 Uninstall.lnk
%progfiles%\PcsSecure Software
%progfiles%\PcsSecure Software\PcsSecure
%progfiles%\PcsSecure Software\PcsSecure\PcsSecure.exe
%progfiles%\PcsSecure Software\PcsSecure\uninstall.exe
%win%\10548h5c9tool4z5.exe
%win%\105z5troj199.cpl
%win%\11359not-z-9irus405.bin
%win%\system32\48fcthizf1950.cpl
%win%\system32\4943h9ckto5lz78.ocx
%win%\system32\49705hi9f896z.bin
%win%\system32\RANDOM.exe

After the above files have been removed you should still scan your system with a reputable malware removal tool and reputable antivirus to make sure that your system is clean. I will typically run scans until the scans start coming up with nothing found to make certain that everything related to the rogues have been eliminated.

Once upon a time I wrote of manually extracting a file from a mondorescue backup. Sometimes it’s just easier to do that, than have mondorescue go through 30 some cds or dvds just to find one file. (Not to mention the fact that the iso’s aren’t burned to disc but are just stored on a usb HD.) So, I’ve just had the opportunity to try to restore one of the “biggiefiles”. Mondoarchive attempts to split huge files up into smaller slices for archiving. The size is something that I think is configurable, but I haven’t made any changes from the default.

The first trick is figuring out which set of slice-0000105-0000.dat files to hunt for. Find the list of biggiefiles (usually in the archives folder called biggiefiles.txt) grep the file looking for your filename, but we will need the line number of the file. In my case I did `grep -n myfilename biggiefiles.txt` and found that the file I was looking for was at line 106.

So, I started looking and found that the slice-0000106-0000.dat file reported a different filename when I used head to read the beginning of it. So, I looked at slice-0000105-0000.dat…. aha! Our line 1 in biggiefile.txt get’s to be slice-0000000-0000.dat So we’ll always be one number off from the line number.

Okay – so in my case there were about 17 slices… ranging from slice-0000106-0000.dat to slice-0000106-0017.dat I should mention that many of these slices are bz2 compressed – so the first step is to uncompress them all bunzip2 *bz2 in the folder I was using as a temp folder for this worked.

Next, I just tried cat’ting them all together `cat slice*.dat >all_files.dat` But the resulting file was read as corrupt (I was restoring an access database. So, after a bit of looking at the mondo-archive code…. I tried something a bit different. I renamed the first slice (ending in 0000.dat) to something outside of our slice- count sequence -so I just called it outside.dat and then cat’ted the rest of them together using the same command as above. Why ? The 0000.dat file apparently is written as a header with just the filename and perhaps other information that mondoarchive uses (size?) I really don’t know what else, but I had noticed that the header on the 0001.dat was similar to the header on my real .mdb files that were floating around.

Anyway – I’m making a note of it here in case I need it again. Probably the best thing I can suggest to start with is to create a folder to work on these files outside of your backup structure. And by all means COPY instead of move the files over into it.

Desktop Security 2010 is a rogue antivirus application. It is a successor to Total PC Defender and installs on your pc without permission through the use of malware. Once on your system it will create numerous files that it then finds during scheduled scans and it claims these files are virus infected. It will scan at windows startup and claim these files and some legitimate files are infected with viruses and the only way it can clean them is if you purchase the software. If the files listed are removed it can damage your system. Obviously, this is a scam just to get your money, read on for how to remove desktop security 2010.

You will see many pop up warnings and errors from this rogue including the following:

Warning! Running trial version!
Your computer has been compromised! Now running trial version of the software! Click here to purchase the full version of the software and get full protection for your PC!

Security Center Alert
To help protect your computer, Desktop Security 2010 has blocked some features of this program.
Name Sft.dez.Wien
Risk High
Description Sft.dez.Wien is a virus attempts to spread itself by attaching to a host program, and can damage hardware, software or data in the process. This worm can be blocked from firewall and antivirus software.

Spyware Warning
Your online guard helps to stop unauthorized changes to your computer
Details: Spyware detected on your computer

Your computer might be at risk
Antivirus detects viruses, worms, and Trojan horses. They can (and do) destroy data, format your hard disk or can destroy the BIOS. By destroying the BIOS many times you end up buying a new motherboard or if the bios chip is removable then that chip would need replacing.
Click this balloon to fix this problem.

No firewall is turned on
Automatic Updates is turned off
Antivirus software might not be activated
Click this balloon to fix this problem.

All of these errors should be disregarded as you work to remove desktop security 2010. Your first stop for this removal should be the control panel and then the add/remove programs applet. From there you should try to uninstall desktop security 2010. This may or may not be successful. If it is, congratulations…. follow that uninstall up with a scan using malwarebytes antimalware or superantispyware. Then follow THAT up with a scan using a reputable antivirus application.

If the uninstall approach didn’t work, you can next try to remove desktop security 2010 using the portable scanner from superantispyware. There is a download link on my virus removal toolkit page. When it downloads it will be given a random name, so make note of the name as it downloads so you can find it later. Also, it is rebuilt daily so it should have the latest definition updates so you should not need to run an update before scanning.

Run a scan with the portable scanner and clean out everything that it finds. Then scan again and again until the system comes clean. If you are interested in performing a manual removal of desktop security 2010 you should make note of the following files and folders to delete:

%docs%\All Users\Start Menu\Programs\Desktop Security 2010
%docs%\All Users\Start Menu\Programs\Desktop Security 2010.lnk
%docs%\All Users\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk
%docs%\All Users\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk
%docs%\All Users\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk
%docs%\All Users\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk
%user%\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.lnk
%user%\Local Settings\Temp\gedx_ae09.exe
%user%\Local Settings\Temp\jkfuckjs.exe
%user%\Local Settings\Temp\kgn.exe
%user%\Local Settings\Temp\kilslmd.exex
%user%\Local Settings\Temp\kn.a.exe
%progfiles%\Desktop Security 2010
%progfiles%\Desktop Security 2010\daily.cvd
%progfiles%\Desktop Security 2010\Desktop Security 2010.exe
c:\Program Files%progfiles%%progfiles%\Desktop Security 2010\hjengine.dll
%progfiles%\Desktop Security 2010\mfc71.dll
%progfiles%\Desktop Security 2010\MFC71ENU.DLL
%progfiles%\Desktop Security 2010\msvcp71.dll
%progfiles%\Desktop Security 2010\msvcr71.dll
%progfiles%\Desktop Security 2010\pthreadVC2.dll
%progfiles%\Desktop Security 2010\securitycenter.exe
%progfiles%\Desktop Security 2010\taskmgr.dll
%progfiles%\Desktop Security 2010\uninstall.exe
%win%\system32\RANDOM.exe

Follow up any removal of desktop security 2010 with a scan from a trusted, reputable malware removal tool such as superantispyware or malwarebytes antimalware. Then you should follow up with a scan from a trusted antivirus application. Make certain that you are using reputable tools. Free is fine, an online scanner is okay, just make sure that they are reputable.