Protect Yourself Against Application Sneak Attacks

Send your questions to answer@pcworld.com. Answer Line pays $50 for published items. Click here for more Answer Line columns. You'll find Contributing Editor Lincoln Spector's humorous writing at www.thelinkinspector.com.

Some program has installed itself on my computer, bringing up unwanted pornography. I have tried to remove it, but it just keeps coming up again. What can I do?

Teng Beng Koay, McAllen, Texas

First, check Windows' System Configuration Utility to see whether the uninvited program is renewing itself every time you boot. (Windows 2000 lacks this program, but users of that OS can download Mike Lin's free Startup Control Panel.)

Press Windows-R or select Start, Run. Type msconfig, and press Enter. Click the Startup tab and look for a suspect command or file path in the resulting list. Unfortunately, the program's name is not likely to be obvious. Be suspicious of commands that look like 'C:\Windows\regedit.exe/s C\Windows\System\x3z73t.tmp'. Such a command alters your Registry every time you boot. If you find a command similar to this example, uncheck it and then click OK. For good measure, delete the file that's mentioned at the end of the command--'C\Windows\System\x3z73t.tmp', in my example--too.

If you don't discover any dubious file names, uncheck various entries in the list of Startup items one at a time and reboot. If the problem goes away, you have found the troublemaker. If an important function (such as your antivirus program) disappears, recheck the item that you just unchecked.

Whether or not Msconfig identifies the problem application, it's a good idea to fix your Registry. Read "How Do I Restore My Windows Registry?" from my April column instructions on backing up and restoring the Registry. If you have a Registry backup from before the problem started, restore it from that backup.

If you don't have a useful Registry backup, be sure to create one right away. After the backup is complete, press Windows-R or select Start, Run. Type regedit and hit Enter. When the Registry Editor opens, press Ctrl-F and enter the name of the invasive program, the URL it points to, or any string of text that might refer to it. When you find a suspect key in the Registry, delete it with extreme prejudice.

There's a good chance that the offending program uses JavaScript, so consider limiting your browser's scripting capabilities. To do so in Internet Explorer, select Tools, Internet Options, Security, Custom Level. Scroll to the Active scripting section, and select either Disable or Prompt (see FIGURE 1

FIGURE 1: Turn off or limit scripts to avoid dangerous pornographic intrusions.

). Click OK twice. Note that disabling this feature blocks legitimate scripts as well as bad ones--and being prompted to allow each script case-by-case gets annoying fast.

There are two free programs that may help you find the miscreant: Lavasoft's Ad-aware and PepiMK's Spybot Search & Destroy.

You may have been the victim of a program that exploits Internet Explorer's Browser Help Object subsystem, which is intended to let plug-ins run inside the browser. Visit "Sneaky Apps Attack " for more information about "stealthware" applications--and how to combat them.

Restore Private Folders

I had to reinstall Windows XP on a system containing private folders. Now I can't get back into these folders, even though I've created the same user names as before. What can I do?

Robert Bell, Mohnton, Pennsylvania

Reboot your PC, and before Windows starts loading, press F8 to view the boot menu. Select Safe Mode and log on with an Administrator-level account.

Once XP is running in Safe Mode, open Windows Explorer, right-click a private folder, and select Properties. Click Security, Advanced, Owner. Select the appropriate owner in the 'Change owner to' box, select Replace owner on subcontainers and objects, and click OK. At the warning, click Yes. Reboot to return to normal Windows.

When System Restore Doesn't

Why can't System Restore restore my Registry? Whenever I try to use it, I get smacked with a "restore incomplete" error message.

Vincent Wong, New York

You have a corrupted restore point. It happens sometimes, and the way System Restore works makes the problem worse. To save disk space, System Restore saves only changes made since the previous restore point was created. If Windows creates a new restore point every day, and you tell it on Friday to restore back to Monday, it must successfully restore the points from Thursday, Wednesday, and Tuesday before it can reach Monday's. If Thursday's restore point is corrupt, you can't get to Wednesday's.

There's no fix for this problem, but there are ways to avoid it in the future. One is to download and install XP's Service Pack 1, which fixes at least one restore-point-corrupting bug.

Also, don't rely on Windows' automatic backups. A newer backup will be more reliable than an older one, so create a restore point manually before you install software or do anything else that might alter your system.

Whenever you encounter a corrupted restore point, it's a good idea to start fresh by cleaning out all previous restore points. In Windows XP, click Start, right-click My Computer, and select Properties, System Restore. Next, check Turn off System Restore on all drives, click OK, and then click Yes. Reboot your computer and follow the same steps, but this time uncheck the Turn off System Restore on all drives option.

In Windows Me, right-click My Computer and select Properties, Performance, File System, Troubleshooting. Check Disable System Restore and click OK, Close, and Yes. After Windows has rebooted, repeat the same procedure, but this time be sure to uncheck the Disable System Restore option.

In Windows Me you can back up the Registry without System Restore: Select Start, Run, type scanreg, and press Enter. When the prompt tells you that there are no errors, click Yes, and then OK. To restore the Registry, go back to the Run box and type scanreg /restore (don't forget the space before the slash).

Windows XP doesn't possess this capability, but you can use Lars Hederer's free Emergency Recovery Utility NT (ERUNT) to back up and restore the XP Registry. Go to the link to download a copy of Hederer's program.

Restore or Delete Corrupted Files

I have some corrupted Word and Excel files that I can neither open nor delete. How are they getting corrupted, and what can I do about them?

Betty C. Jung, Guilford, Connecticut

The primary cause of a corrupted file is a system or application crash. If Windows or some other program blows a gasket while you have a file open, the file may not reopen properly later (fortunately, it's more likely to be unaffected).

If you're getting a lot of corrupted files, and you're not suffering a lot of crashes, the problem could be due to a virus--yet another reason to keep your antivirus protection up to date. Or the corruption could result from a flaw in your hard drive's file system or in the drive itself, which is a more serious problem. Using a disk utility to scan the drive will uncover these glitches and fix the file system.

To scan your drive in Windows 2000 and XP, open My Computer, right-click the drive, and select Properties, Tools, Check Now. Check both options and click Start.

In Windows 98 and Me, select Start, Programs, Accessories, System Tools, ScanDisk. Choose the drive, click Thorough, and check Automatically fix errors. Click Start to begin the scan.

The best way to recover a corrupted data file is from a recent backup. If you don't have a recent backup, the program that crashed may have created one for you automatically. For instance, by default, Word backs up every.doc file as a.wbk file in the same folder. Just load this file into Word and save it as a.doc file.

In the absence of any backup, you'll have to use a data-recovery program to retrieve the file. Ontrack markets a series of recovery programs called EasyRecovery, and Recoveronix offers a similar line called OfficeRecovery (see FIGURE 2

FIGURE 2: Can that file be saved? The demo version of OfficeRecovery tells you if it's salvageable.

). In either case, you can download a demo program that will tell you whether your file is salvageable. If it is, you'll still have to buy the actual program--which will probably cost $150 or more--to recover the data. And if that doesn't get you into the backup habit, I don't know what will.

When you encounter a corrupted file that you can't even delete, there are two possibilities. First, the file may no longer exist, but a ghost of it may remain in the file system. Second, Windows may think that a program is still using it. Scan the drive as described above to solve the first problem, and reboot to fix the second.

Memory Card Sneakernet

Do you need a quick and easy way to move files from one computer to another? If you own a digital camera, a PDA, or any other device that uses memory cards, Ed Fink of Brentwood, California, recommends that you use these little squares of flash RAM on moving day. You can buy a CompactFlash or SmartMedia reader for as little as $10; SD, Memory Stick, and MultiMediaCard readers aren't much more expensive. All of these readers plug into a USB port, so you can easily connect them to just about any PC. And once you've moved the files, you have a convenient gadget for data backup and other file-storage purposes.