http://www.bootdisk.com/ 233 August 2005
The BootLIST
Welcome to the 233rd Edition of The BootLIST
INDEX
1) Malware Cleaning Feedback
2) How Does XXCLONE Work?
########################################
1) Malware Cleaning Feedback
Joycee wrote regarding Issue 232
That was very good advice on the trojan in issue 232, but there was something else that should have been done. Stop system restore running, before using the Ad-aware etc.
The trojan is still sitting in there, once all the scans have been done and the computer is clean, then system restore should be started again. A lot of people will run the scans, and keep getting the message that the trojan is still there, but cannot be deleted, simply because it is sitting protected in system restore.
If the system and files have been backed up to removable disks, they should also be scanned before transferring anything back onto the machine. Better safe than sorry.
By the way I have been getting your Bootdisk emails since you started and am completely addicted to them. I have sent the odd breakfast too, but as I am skint at the moment have sent an email instead.
Keep up the good work. Joycee
*** Joycee is 100% correct. I totally forgot to mention to disable system restore IN ADVANCE of cleaning
an infected PC.
Hi Ed!
I thought you might follow-up in your next newsletter in reference to #2 in Issue 232. Sometimes the programs you have suggested may detect some of the adware, but often can't remove it. As a matter of fact, a coworker's daughter had just that same issue on her computer as the person who you quoted. Even though she ran Spybot S&D and Adaware, it showed that everything was fixed, or it could not fix some items.
Rather than advising a novice user to try and remove things through the Add/Remove in the Control Panel that may cause more problems than help, I would suggest that the person first go to the Forums at the TeMerc Internet Countermeasures site:
Tom (TeMerc), who runs the site and the volunteers who whom work with him, has helped literally tens of thousands of users safely remove those Adware and Spyware programs. If you read the posts of the people he has helped solve their Adware and Spyware issues, you will see that the instructions are easy to understand and are given in a step by step interaction with the computer user that even the novice can grasp. You can also see, in the forums, that they do not give up until your computer is completely clean.
The daughter of the coworker I mentioned was a novice user and had a ton of Adware and Spyware issues with the pop-ups and disabled programs just as the person in your issue explained. TeMerc helped her rid her computer of all of that trash and also suggested free software to keep her from getting infected again!
Before suggesting a novice user try and remove Adware of Spyware on their own, I would hope you would follow-up and suggest instead they ask for help at the TeMerc site.
The site also informs you on the latest security updates. He updates his site daily, so it is always current.
Best of all, the service is FREE! Tom does not ask for, nor does he accept donations for his help. You can read on the home page of his site why he provides this free service.
Please consider a small follow-up in your next newsletter. It may help your readers. Thanks again for a great newsletter!
John C., Ramona, CA.
########################################
2) How Does XXCLONE Work?
*** Cloning drives continues to be a popular subject as people purchase new disks and need to transfer their system to the new drive and then boot from it. I've used Ghost and other disk cloning apps for years and as long as I follow the instructions I rarely have a problem. Some recent articles re: Ghost are here:
http://www.bootdisk.com/bootlist/214.htm#4
http://www.bootdisk.com/bootlist/215.htm#3
As a techie however, it's part of my job and my hobby to test out and learn about new utilities as they are developed, especially the hardcore utils like disk cloners. It also takes a while to learn and trust a new application before you use it on a friends or a customers PC.
To that end I was wondering how XXCLONE by Kan Yabumoto worked as compared to Ghost by Symantec so I wrote him this letter. His response follows.
Dear Kan,
Some folks who use Ghost to clone immediately trash the clone by not following the directions. Symantec tells you that after you do the clone, shut down and immediately swap the drives as XP doesn't like to see 2 versions of itself on a pc.
I don't seem to find any reference to this "issue" on your webpage. My question is, is this just due to the way Ghost works, or does XP really not like to see 2 versions of itself on a PC?
In other words, if you use XXCLONE, can you see if the clone worked correctly or do you have to shut down and swap drives right away.
Dear Ed:
You need not worry about the reboot sequence with or without the original volume. XXCLONE should handle the initial reboot into the new volume correctly whether you keep your original volume visible or not.
XXCLONE does not require any particular boot sequence after a clone operation. You may clone the system disk to the target disk (or even second backup unit) more than once without reboot. Of course, every time you run XXCLONE to the same target volume, the contents in the target volume will be overwritten and therefore, the last clone operation will be the one which counts. This may be the scenario if you don't boot your system for weeks but perform daily backup (once a day) using XXCLONE. There is no hard doing repeated cloning to the same target.
Now, after a clone operation using XXCLONE, if you re-boot into the same original system, it will not cause any change to the target even if the target volume is still attached.
If you want to test the self-boot capability of the target volume, you may choose to do one of the two ways:
1. Without any change in the disk configuration, by choosing the target volume as the system disk (selecting from the boot menu --- set by the BOOT.INI file of the main volume), you may pass control to the target volume. In this case, if the target volume is in a different physical disk, then the initial boot sequence will go from the main disk (NTLDR, BOOT.INI on the original volume) will be responsible in the first phase of the boot sequence. But, eventually, the control will be passed to the target volume and the boot sequence will continue. In this scenario, the boot operation will succeed even if the MBR, and NTLDR/BOOT.INI file in the target is not properly initialized. But, the contents of the target volume (mostly in the \windows\ directory) will be responsible for much of the Windows initialization and therefore, this test is still almost valid. Even if the MBR, and boot sector is not properly initialized, if you use the Quick Boot Diskette, the target volume can be brought to life.
2. The most complete test is to swap the physical disks. In this case, all of the essential elements of the boot sequence (MBR, BootSector, NTLDR, BOOT.INI, etc.) must be properly initialized, else, you may not succeed in booting up.
In either case, you need not worry about the visibility of the original system disk in the boot process. In the first scenario, naturally, the first phase of the boot sequence still uses the MBR, bootsector, NTLDR, BOOT.INI, et. of the boot disk (usually Disk0's active partition), participates in the boot process).
Since I don't have much experience with Ghost, I'm not familiar with the problem with Ghost that you described. But, I know that when you boot from a newly cloned target volume, the initial drive-letter assignment will be somewhat tricky. This is due to the fact that the driveletter assignment is persistent (saved in the system registry). The driveletter assignment will be done by looking up the system registry which identifies which disk-signature goes which driveletter. My guess is that Ghost probably clears the signature (or assign a new signature) to each drive. I assume Ghost will not alter the source volume's signature.
When the target volume is booted with the original source volume still connected, Windows (XP) will reassign the driveletter that are missing (due to the erased signature). At that time, when the original volume is present, the drive letter of the original volume take away the driveletter (usually C:) so that the Windows will have no choice but to give a different driveletter to the new system disk, in my estimation.
This peculiar driveletter reassignment mechanism by Win XP is probably the cause of problems in Ghost.
In the case of XXCLONE, the driveletter assignment will be handled in more "assertive" fashion. That is, the drive letters of the original source volume and the cloned (target) volume are swapped by XXCLONE (and the system registry of the target volume properly matches the swapped driveletters accordingly), there will be no driveletter reassignment procedure taking place at the re-boot sequence. Therefore, whether you keep the original volume still attached to the system or remove it immediately before the reboot into the target volume, there will be no difference.
When you re-boot the system into the newly cloned volume for the first time, the system will automatically invoke the XXCLONE program on the target. Usually, XXCLONE will show a "congratulation!!!" message just once more (and the user will dismiss the program after checking the new disk-configurations using the Diskmgmt.msc applet following the advice of XXCLONE).
The reason for this final appearance of XXCLONE is not necessary if everything goes as planned (I would say 99% of the time). If something goes wrong in the driveletter swapping process, XXCLONE will notice that the new system disk is not assigned to the original (swapped) driveletter. When this rare case is detected, XXCLONE will initiate a special "double-reboot" sequence to try to do it right. Actually, this provision is the real (hidden) reason why we put the "congratulation" message in the first reboot into the cloned volume.
When you examine the Source and target volume boxes in the XXCLONE windows in its congratulatory invocation, you will find that the source volume box (the top box) showing the driveletter which was for the target and the target volume box shows the original system disk (usually C:) --- that is, you will find the two volume's driveletters successfully swapped. Now, if you reboot the system with only the target volume, then, obviously, the source volume box will be empty. This is not an error. XXCLONE allows you to reboot the new system with or without the original volume there (but, when the rare case of double-reboot maneuver, the original volume is still needed).
To answer your question in a simpler terms, XXCLONE should handle the driveletter assignment correctly and the user need not worry about it one way or another.
Kan Yabumoto
____________________________________
*** Thanks Kan. For more information see:
Norton Ghost:
http://www.symantec.com/sabu/ghost/ghost_personal/
XXCLONE:
http://www.xxclone.com/
+++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++
+++++++++++++++++++++++++++++++++++++++++++++++++
Like this issue of The BootLIST?
One can, if you wish, return the favor and treat the Newsletter Author to a $5 Dollar Breakfast by clicking on this link:
Or choose your own level of support: http://tinyurl.com/3rpjc
BONUS - You will also be provided with a link to download issues #100 to present COMPLETE with a nice text search utility that highlights your search words and opens up the old LISTS within the app itself. No software install required. Everything is included in a SINGLE 600K zip package.
If you prefer real mail send a letter to Ed Jablonowski:
56 Kossman Street, East Brunswick, New Jersey 08816-4442 USA
NOTICE: Please dont reply to this email as the return address is just for catching autoreplies
and spam. If you want to comment on an issue or have a question regarding logistics please see the
FAQ:
http://www.bootdisk.com/bootlist/faq.htm.
Kindest regards, Ed
+++++++++++++++++++++++++++++++++++++++++++++++++
To Subscribe to this techletter please enter your Email address below:
+++++++++++++++++++++++++++++++++++++++++++++++++