Email Abuse and Spam - OT port 135 attempts

Author

OT port 135 attempts

McWebber

2004-02-26, 5:35 pm

Is there some new worm out there?
Nothing like this in months and months, then all of a sudden a bunch of
these today:

Feb 26 15:49:31 admin portsentry[1836]: attackalert: Connect from host:
218-101-92-254.dialup.clear.net.nz/218.101.92.254 to TCP port: 135
Feb 26 15:30:47 admin portsentry[1836]: attackalert: Connect from host:
hlst-216-37-159-44.ppp.hlst.epix.net/216.37.159.44 to TCP port: 135
Feb 26 15:19:03 admin portsentry[1836]: attackalert: Connect from host:
AC8FC4D8.ipt.aol.com/172.143.196.216 to TCP port: 135
Feb 26 14:30:08 admin portsentry[1836]: attackalert: Connect from host:
216.40.174.139/216.40.174.139 to TCP port: 135
Feb 26 14:22:57 admin portsentry[1836]: attackalert: Connect from host:
hlst-216-37-159-64.ppp.hlst.epix.net/216.37.159.64 to TCP port: 135

--
McWebber
No email replies read
If someone tells you to forward an email to all your friends
please forget that I'm your friend.

Bill Levinson

2004-02-26, 6:35 pm

McWebber wrote:

> Is there some new worm out there?
> Nothing like this in months and months, then all of a sudden a bunch of
> these today:
>
> Feb 26 15:49:31 admin portsentry[1836]: attackalert: Connect from host:
> 218-101-92-254.dialup.clear.net.nz/218.101.92.254 to TCP port: 135
> Feb 26 15:30:47 admin portsentry[1836]: attackalert: Connect from host:
> hlst-216-37-159-44.ppp.hlst.epix.net/216.37.159.44 to TCP port: 135
> Feb 26 15:19:03 admin portsentry[1836]: attackalert: Connect from host:
> AC8FC4D8.ipt.aol.com/172.143.196.216 to TCP port: 135
> Feb 26 14:30:08 admin portsentry[1836]: attackalert: Connect from host:
> 216.40.174.139/216.40.174.139 to TCP port: 135
> Feb 26 14:22:57 admin portsentry[1836]: attackalert: Connect from host:
> hlst-216-37-159-64.ppp.hlst.epix.net/216.37.159.64 to TCP port: 135

I have port 135 restricted by Norton Internet Security. I think it
started with Messenger spams and now I think a worm is involved as well.
(Welchia). The problem is, I've been getting Welchia components despite
restricting all ports involved.

--Bill
http://www.stentorian.com/antispam/

Chris Uren

2004-02-26, 6:35 pm

On Thu, 26 Feb 2004 17:06:58 -0500, "McWebber" <mcwebber@my-deja.com>
wrote:

>Is there some new worm out there?
>Nothing like this in months and months, then all of a sudden a bunch of
>these today:
>

>Feb 26 15:49:31 admin portsentry[1836]: attackalert: Connect from host:
>218-101-92-254.dialup.clear.net.nz/218.101.92.254 to TCP port: 135

There's a new version of Welchia (D) doing the rounds which looks for
135. :-((

http://securityresponse.symantec.co...hia.d.worm.html

This is only part of the advisory.
The DCOM RPC vulnerability (described in Microsoft Security Bulletin
MS03-026) using TCP port 135. The worm specifically targets Windows XP
machines using this exploit.

(To indicate the Myth of the M$ tosser claiming it's only older OS
that are attacked.)

--
Animal

Bill Levinson

2004-02-26, 6:35 pm

Chris Uren wrote:
> On Thu, 26 Feb 2004 17:06:58 -0500, "McWebber" <mcwebber@my-deja.com>
> wrote:
>
>
>
>
>
>
> There's a new version of Welchia (D) doing the rounds which looks for
> 135. :-((
>
> http://securityresponse.symantec.co...hia.d.worm.html
>
> This is only part of the advisory.
> The DCOM RPC vulnerability (described in Microsoft Security Bulletin
> MS03-026) using TCP port 135. The worm specifically targets Windows XP
> machines using this exploit.
>
> (To indicate the Myth of the M$ tosser claiming it's only older OS

Access to Port 135 is restricted on my computer. How the HELL does
someone keep planting Welchia elements in my Temporary Internet files
directory (C:\WINDOWS\SYSTEM32\CONFIG\systemprofil
e\Local
Settings\Temporary Internet Files\Content.IE5), especially when I'm not
even using IE5???

Norton Internet Security detects them and denies access to them but
something screws up many of my XP applications (Word, Excel) and I have
to reboot before I can use them. Also, something has frozen the Norton
Internet Security control menu so I cannot access the logs, although the
program itself still seems active.

--Bill

Chris Uren

2004-02-26, 6:35 pm

On Thu, 26 Feb 2004 22:35:25 GMT, Bill Levinson
<wlevinson@NOSPAM.stentorian.com> wrote:

>I have port 135 restricted by Norton Internet Security. I think it
>started with Messenger spams and now I think a worm is involved as well.
>(Welchia). The problem is, I've been getting Welchia components despite
>restricting all ports involved.
>
>--Bill

Bill, have you been able to verify that none of the patches relating
to the DCOM RPC (Port 135) vulnerability haven't been patched by any
infection with with older patches, M$ has issued several patches as
the virus writers found new exploits. The virus writers programmed
succesive versions to get and install the older patches opening up the
Messenger service all over again

http://securityresponse.symantec.co...hia.d.worm.html

--
Animal

Bill Levinson

2004-02-26, 6:35 pm

Chris Uren wrote:

> On Thu, 26 Feb 2004 22:35:25 GMT, Bill Levinson
> <wlevinson@NOSPAM.stentorian.com> wrote:
>
>
>
>
> Bill, have you been able to verify that none of the patches relating
> to the DCOM RPC (Port 135) vulnerability haven't been patched by any
> infection with with older patches, M$ has issued several patches as
> the virus writers found new exploits. The virus writers programmed
> succesive versions to get and install the older patches opening up the
> Messenger service all over again
>
> http://securityresponse.symantec.co...hia.d.worm.html

I have run the worm removal tool, and System Restore is still off. I
know I have Port 135 (and the other indicated ports) blocked.

I'll try the worm remover again in SAFE mode and see what happens.

Some more information; I found this in Index.dat in
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile
\Local Settings\Temporary
Internet Files\Content.IE5
(I was actually trying to delete the entire directory to prevent the
worm from finding it). The indicated IP addresses both belong to
Earthlink, my service provider. It's hard to believe that they planted
the thing on a major ISP's servers. Maybe this is the transmission
route; I'm not an expert by any means.

I do have the latest virus definitions (just updated today).

Ò
h R0¸¢
WksPatch[1].exe URL ð˜r5’ùÃ 2
` h A ^ V0_² V0«²
http://165.121.36.133:8999/WksPatch.exe WksPatch[5].exe HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 12800

~U:system
m

URL
pÄ¾¼üÃ 2 ` h A ^
Z0n¸ Z0l¸ http://207.69.241.118:6927/WksPatch.exe
WksPatch[2].exe HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 12800

McWebber

2004-02-26, 8:34 pm

"Chris Uren" <pressedpork.animal.spamtrap@myrealbox.com> wrote in message
news:aqts30pshebkl1vtonv16kddj8qi3aa020@
4ax.com...
> There's a new version of Welchia (D) doing the rounds which looks for
> 135. :-((
>
>
http://securityresponse.symantec.co...hia.d.worm.html
>
> This is only part of the advisory.
> The DCOM RPC vulnerability (described in Microsoft Security Bulletin
> MS03-026) using TCP port 135. The worm specifically targets Windows XP
> machines using this exploit.
>

It's strange my home router shows no attempts at port 135 today.

--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003

Doktor DynaSoar

2004-02-26, 9:34 pm

On Thu, 26 Feb 2004 17:06:58 -0500, "McWebber" <mcwebber@my-deja.com>
wrote:

} Is there some new worm out there?
} Nothing like this in months and months, then all of a sudden a bunch of
} these today:
}
} Feb 26 15:49:31 admin portsentry[1836]: attackalert: Connect from host:
} 218-101-92-254.dialup.clear.net.nz/218.101.92.254 to TCP port: 135
} Feb 26 15:30:47 admin portsentry[1836]: attackalert: Connect from host:
} hlst-216-37-159-44.ppp.hlst.epix.net/216.37.159.44 to TCP port: 135
} Feb 26 15:19:03 admin portsentry[1836]: attackalert: Connect from host:
} AC8FC4D8.ipt.aol.com/172.143.196.216 to TCP port: 135
} Feb 26 14:30:08 admin portsentry[1836]: attackalert: Connect from host:
} 216.40.174.139/216.40.174.139 to TCP port: 135
} Feb 26 14:22:57 admin portsentry[1836]: attackalert: Connect from host:
} hlst-216-37-159-64.ppp.hlst.epix.net/216.37.159.64 to TCP port: 135

Don't know of a specific new one. That may be an old one or it may be
k1dd1es poking around to see if your remote process control has been
patched. Everything from 135 to 139 is effected. There's a worm out
there that exploits it, but there's lots of port pokers too.

I know that it comes in waves here. 5 or 10 days with 2 or 3 hits,
probably from local poorly configured machines trying to use printers
or something, and suddenly a 4 hour waves of a few hundred.

Chris Uren

2004-02-27, 4:35 am

On Thu, 26 Feb 2004 19:04:43 -0500, "McWebber" <mcwebber@my-deja.com>
wrote:

>
>It's strange my home router shows no attempts at port 135 today.

I think many providers blocked external port 135 access from entering
their service(s) when it peaked last year, whether they are still
doing so in all cases is anybody's guess.
Though this didn't stop attempts from their own IPs.

--
Animal

McWebber

2004-02-27, 8:34 am

"Chris Uren" <pressedpork.animal.spamtrap@myrealbox.com> wrote in message
news:pl2u30l1e1ik60p05rkn3hmk0clt72ejai@
4ax.com...
> On Thu, 26 Feb 2004 19:04:43 -0500, "McWebber" <mcwebber@my-deja.com>
> wrote:
>
>
> I think many providers blocked external port 135 access from entering
> their service(s) when it peaked last year, whether they are still
> doing so in all cases is anybody's guess.
> Though this didn't stop attempts from their own IPs.
>

Maybe Comcast did block it both ways. Despite tons of spam attempts from
trojaned Comcast users, I haven't seen any of these hits from there.
While I almost never see any spam from *.cable.rcn.com I have seen a few of
those trying port 135.

--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003

Chris Uren

2004-02-27, 9:35 am

On Fri, 27 Feb 2004 08:20:34 -0500, "McWebber" <mcwebber@my-deja.com>
wrote:

>Maybe Comcast did block it both ways. Despite tons of spam attempts from
>trojaned Comcast users, I haven't seen any of these hits from there.
>While I almost never see any spam from *.cable.rcn.com I have seen a few of
>those trying port 135.

I'm no longer shocked at what I see in my FW logs, seeing the packets
being blocked has it's own satisfaction. I do send the log's to
DShield regularly, at least the evidence has been logged and those
with the resources and technology can act on the logs.
Sans.org do seem to be requesting input from Admins though on some
types of traffic, so if anyone cares to check the site they may
something in their packets logs that might help confirm or even track
a source.

--
Animal

Morely 'spam is theft' Dotes

2004-02-27, 5:35 pm

Bill Levinson <wlevinson@NOSPAM.stentorian.com> wrote in news:yav%b.23316
$hm4.16533@newsread3.news.atl.earthlink.net:

> Access to Port 135 is restricted on my computer. How the HELL does
> someone keep planting Welchia elements in my Temporary Internet files
> directory (C:\WINDOWS\SYSTEM32\CONFIG\systemprofil
e\Local
> Settings\Temporary Internet Files\Content.IE5), especially when I'm not
> even using IE5???

You're using WinXP, aren't you?

WinXP carefully and thoughtfully reinstalls any viruses or trojans you may
remove, if they have infected copies of system files listed in the C:\WINDOWS
\SYSTEM32\Restore\FILELIST.XML file.

I'm currently fighting the GEN trojan on my niece's laptop; it's taken me 4
hours of hands-on time using numerous tools to get the spyware and infections
down to nothing but GEN and "CommonName." XP keeps reinstalling them after
Spybot S&D and Avast! remove them.

--
Tired of spam in your mailbox?
Come to http://www.spamblocked.com
Don't spam <A HREF="mailto:remote-printer.Mary_Higgins/Investor_Relations@
12029429634.iddd.tpc.int">this.</a>

Bill Levinson

2004-02-27, 5:35 pm

Chris Uren wrote:

> On Fri, 27 Feb 2004 08:20:34 -0500, "McWebber" <mcwebber@my-deja.com>
> wrote:
>
>
>
>
> I'm no longer shocked at what I see in my FW logs, seeing the packets
> being blocked has it's own satisfaction. I do send the log's to
> DShield regularly, at least the evidence has been logged and those
> with the resources and technology can act on the logs.
> Sans.org do seem to be requesting input from Admins though on some
> types of traffic, so if anyone cares to check the site they may
> something in their packets logs that might help confirm or even track
> a source.

Norton Internet Security, Personal Firewall, Internet Access Control,
Configure (drop-down menu), Trojan Horse settings-- I blocked Port 135
there as well and haven't been slimed by Welchia since-- keeping my
fingers crossed.

I also deleted the directories used by the Welchia-related "patches."

--Bill
http://www.stentorian.com/antispam/

Chris Uren

2004-02-27, 6:35 pm

On Fri, 27 Feb 2004 22:26:34 GMT, Bill Levinson
<wlevinson@NOSPAM.stentorian.com> wrote:

>Norton Internet Security, Personal Firewall, Internet Access Control,
>Configure (drop-down menu), Trojan Horse settings-- I blocked Port 135
>there as well and haven't been slimed by Welchia since-- keeping my
>fingers crossed.
>
>I also deleted the directories used by the Welchia-related "patches."

<--Fingers crossed that you've nailed the blighter now.

--
Animal

Chris Uren

2004-02-27, 6:35 pm

On 27 Feb 2004 21:58:56 GMT, "Morely 'spam is theft' Dotes"
<MorelyDotes@spamblocked.com> wrote:

>I'm currently fighting the GEN trojan on my niece's laptop; it's taken me 4
>hours of hands-on time using numerous tools to get the spyware and infections
>down to nothing but GEN and "CommonName." XP keeps reinstalling them after
>Spybot S&D and Avast! remove them.

If you have any old versions of MS DOS that had Dosshell as part of it
boot into dos then use Dosshell to browse the directory's and remove
all the files from them then the directory's including IE temp
directory's. (You can also use Dosshell to set directory attributes
while your at it).

--
Animal

McWebber

2004-02-27, 6:35 pm

"Morely 'spam is theft' Dotes" <MorelyDotes@spamblocked.com> wrote in
message news:Xns949C8BD073B6MorelyDotesspamblock
@216.99.211.247...
> I'm currently fighting the GEN trojan on my niece's laptop; it's taken me
4
> hours of hands-on time using numerous tools to get the spyware and
infections
> down to nothing but GEN and "CommonName." XP keeps reinstalling them after
> Spybot S&D and Avast! remove them.
>

http://www.xblock.com/download-freeware.shtml

--
McWebber
"Richter points to the lack of legal action against his company as proof
that he's operating appropriately."
Information Week, November 10, 2003

Bill Levinson

2004-02-28, 12:34 am

Morely 'spam is theft' Dotes wrote:

> Bill Levinson <wlevinson@NOSPAM.stentorian.com> wrote in news:yav%b.23316
> $hm4.16533@newsread3.news.atl.earthlink.net:
>
>
>
>
> You're using WinXP, aren't you?
>
> WinXP carefully and thoughtfully reinstalls any viruses or trojans you may
> remove, if they have infected copies of system files listed in the C:\WINDOWS
> \SYSTEM32\Restore\FILELIST.XML file.

I've had Restore shut down for a while. This file is not present in the
directory. The most recent file is about six months old (well before
Welchia existed).

So far it hasn't come back-- maybe wiping out \Temporary Internet
Files\Content.IE5 destroyed its home permanently.

--Bill

http://www.stentorian.com/antispam/

2004-02-28, 12:34 am

"Morely 'spam is theft' Dotes" <MorelyDotes@spamblocked.com> wrote in
news:Xns949C8BD073B6MorelyDotesspamblock
@216.99.211.247:

> Bill Levinson <wlevinson@NOSPAM.stentorian.com> wrote in
> news:yav%b.23316 $hm4.16533@newsread3.news.atl.earthlink.net:
>
>
> You're using WinXP, aren't you?
>
> WinXP carefully and thoughtfully reinstalls any viruses or trojans you
> may remove, if they have infected copies of system files listed in the
> C:\WINDOWS \SYSTEM32\Restore\FILELIST.XML file.
>
> I'm currently fighting the GEN trojan on my niece's laptop; it's taken
> me 4 hours of hands-on time using numerous tools to get the spyware and
> infections down to nothing but GEN and "CommonName." XP keeps
> reinstalling them after Spybot S&D and Avast! remove them.
>

Log in as an administrator.
right click on 'my computer'; properties; system restore; check the "turn off
system restore" box.

restart and hit the F8 key BEFORE the winXP splash screen appears and go to
safe mode.

right click on 'my computer' ; manage
check under 'services and applications; services for any processes that 'look
suspicous' stop and/or disable them. (keep notes so you can put back anything
you that you really need).

This week, I fought a trojan that was running a process ieplorer.exe for
several hours. It kept coming back until I thought to check for processes it
had installed.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

Andy Lawson

2004-02-28, 1:34 am

"Morely 'spam is theft' Dotes" <MorelyDotes@spamblocked.com> wrote in
message news:Xns949C8BD073B6MorelyDotesspamblock
@216.99.211.247...
> Bill Levinson <wlevinson@NOSPAM.stentorian.com> wrote in news:yav%b.23316
> $hm4.16533@newsread3.news.atl.earthlink.net:
>
>
> You're using WinXP, aren't you?
>
> WinXP carefully and thoughtfully reinstalls any viruses or trojans you may
> remove, if they have infected copies of system files listed in the
C:\WINDOWS
> \SYSTEM32\Restore\FILELIST.XML file.
>
> I'm currently fighting the GEN trojan on my niece's laptop; it's taken me
4
> hours of hands-on time using numerous tools to get the spyware and
infections
> down to nothing but GEN and "CommonName." XP keeps reinstalling them after
> Spybot S&D and Avast! remove them.
>
Sounds like you need to turn OFF the system restore feature (cough) Morely.
It may also pay to check how much space Windows has assigned itself for the
System Restore feature as it can amount to hundreds of MB if you let it
decide for itself.

Most of the Antivirus sites warn that you'll need to turn it of if you're
trying to disinfect Windows ME or XP, I'm not too sure about Win 2k though.

Off topic slightly; I've only been keeping a weather eye on the group for
the last month, and I must say I'm disappointed the various trolls haven't
been nuked or crawled back under their rocks/bridges. Moving house and the
aftermath of a death in the family in addition to my unsociable work hours
have cut down my internet use to >1% of normal; thus I really only had time
to take in the highlights during breaks at work. But its good to be back.

Steve Baker

2004-02-28, 2:34 am

bz <bz+nanae@ch100-5.chem.lsu.edu> wrote in
news:Xns949CE891196CFWQAHBGMXSZHVspammot
e@130.39.198.139:

> right click my computer, properties, restore, check the disable box.
> boot into safe mode by restarting and hitting F
>

Disregard that post. Loose nut on keyboard.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

Inigo Montoya

2004-02-28, 6:34 am

Bill Levinson wrote:

>Some more information; I found this in Index.dat in
> C:\WINDOWS\SYSTEM32\CONFIG\systemprofile
\Local Settings\Temporary
>Internet Files\Content.IE5
>(I was actually trying to delete the entire directory to prevent the
>worm from finding it).

I'm not sure you can. Windows would probably just recreate it. I've had
the same issue trying to remove the dumb@$$ "My Pictures" directory. Sorry
Bill, I've had pictures in a "Graphics" directory for years and I ain't
changing it because you said so.

You can look through Regedit for all instances of "Content.IE5" and erase
the string entry. That could break IE sufficiently. Backup the registry
first though, in case you really mess up.

--
My name is Inigo Montoya. You spammed my father. Prepare to die.

Everything I need to know about life, I learned from my cats.
- Morely Dotes

Chris Uren

2004-02-28, 7:34 am

On Sat, 28 Feb 2004 03:49:10 -0700, Inigo.Montoya@The.Princess.Bride
(Inigo Montoya) wrote:

>I'm not sure you can. Windows would probably just recreate it. I've had
>the same issue trying to remove the dumb@$$ "My Pictures" directory. Sorry
>Bill, I've had pictures in a "Graphics" directory for years and I ain't
>changing it because you said so.
>
>You can look through Regedit for all instances of "Content.IE5" and erase
>the string entry. That could break IE sufficiently. Backup the registry
>first though, in case you really mess up.

Windows does create a number of directories by default but they can
deleted, including any DAT files in them (IE Temp).
At least as long as the registry is not re-installing malware at start
up you should have clean DAT files in the newly created directories.

It looks like he's cracked the problem for now.
If he keeps an eye on his msconfig file for a while just to ensure
there isn't any attempt to run anything iffy.
Might also be worth confirming there are no entries in his win.ini
file set to run at reboot.

--
Animal

Bill Levinson

2004-02-28, 11:35 am

McWebber wrote:

> "Morely 'spam is theft' Dotes" <MorelyDotes@spamblocked.com> wrote in
> message news:Xns949C8BD073B6MorelyDotesspamblock
@216.99.211.247...
>
>
> 4
>
>
> infections
>
>
>
> http://www.xblock.com/download-freeware.shtml

I like this; I've added it to my list of security and privacy resources
at http://www.stentorian.com/antispam/. It looks like a good disk
cleanup utility too.

--Bill

Kelly Bert Manning

2004-02-28, 8:34 pm

bz (bz+nanae@ch100-5.chem.lsu.edu) writes:
> bz <bz+nanae@ch100-5.chem.lsu.edu> wrote in
> news:Xns949CE891196CFWQAHBGMXSZHVspammot
e@130.39.198.139:
>
>
>
> Disregard that post. Loose nut on keyboard.

Is that anything like a PEBKAC?

2004-02-29, 4:34 am

bo774@FreeNet.Carleton.CA (Kelly Bert Manning) wrote in news:c1rcec$b31$1
@freenet9.carleton.ca:

> bz (bz+nanae@ch100-5.chem.lsu.edu) writes:
>
> Is that anything like a PEBKAC?
>

egg-zactly. I hit the wrong key and sent the article before I was finished
with it, leaving the reader to wonder just what 'hitting F' might be all
about.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

Morely 'I drank what?' Dotes

2004-02-29, 6:34 am

While gargling concrete on 27 Feb 2004, bz
<bz+nanae@ch100-5.chem.lsu.edu> wrote in
news:Xns949CEC5C8E0DBWQAHBGMXSZHVspammot
e@130.39.198.139 right after
begin :

> restart and hit the F8 key BEFORE the winXP splash screen appears and
> go to safe mode.

No longer a problem; this being a COMPAQ, which has no real BIOS (it's
stored on the HDD), the system will no longer boot.

She can afford a new laptop (her alimony was $90,000/yr plus $9000/mo child
support); she will be informed that the viruses installed via Kazaa
destroyed it. AFACT, that's the truth.

--
Want a custom-built PC designed by gamers, for gamers?
Visit http://kryptonite.pc-gamereview.com
Tired of spam in your mailbox?
Come to http://www.spamblocked.com

2004-02-29, 12:34 pm

"Morely 'I drank what?' Dotes" <morelydotes@spamblocked.com> wrote in
news:Xns949E149FB672Amorelydotespcgamere
v@192.168.1.197:

> While gargling concrete on 27 Feb 2004, bz
> <bz+nanae@ch100-5.chem.lsu.edu> wrote in
> news:Xns949CEC5C8E0DBWQAHBGMXSZHVspammot
e@130.39.198.139 right after
> begin :
>
>
> No longer a problem; this being a COMPAQ, which has no real BIOS (it's
> stored on the HDD), the system will no longer boot.
>
> She can afford a new laptop (her alimony was $90,000/yr plus $9000/mo
> child support); she will be informed that the viruses installed via
> Kazaa destroyed it. AFACT, that's the truth.
>

Assuming she has a Compaq Presario, she should have a recovery CD that came
with the LAPTOP. The laptop should boot from the CD. She may be able to
recover some of her data but may need to do a Factory Restore, which
reformats the hard drive.

If she can't find the CD, she can probably get a new one from Compaq.

If you do such a restore, be sure and install the blaster patches from a CD
BEFORE you go online with the computer. Nowdays, I am seeing computers that
are not up-to-date on patches gettin infected within seconds of being put
online.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

Morely 'I drank what?' Dotes

2004-02-29, 2:35 pm

While gargling concrete on 29 Feb 2004, bz
<bz+nanae@ch100-5.chem.lsu.edu> wrote in
news:Xns949E6951DE45DWQAHBGMXSZHVspammot
e@130.39.198.139 right after
begin :

> Assuming she has a Compaq Presario, she should have a recovery CD that
> came with the LAPTOP. The laptop should boot from the CD.

Actually, the hard drive won't even spin up, the CD-ROM won't eject...
Essentially, the only thing that it will do is turn the pilot light on and
off.

It's a very expensive, very dim night light.

--
Want a custom-built PC designed by gamers, for gamers?
Visit http://kryptonite.pc-gamereview.com
Tired of spam in your mailbox?
Come to http://www.spamblocked.com

2004-02-29, 6:34 pm

"Morely 'I drank what?' Dotes" <morelydotes@spamblocked.com> wrote in
news:Xns949E682788D44morelydotespcgamere
v@192.168.1.197:

> While gargling concrete on 29 Feb 2004, bz
> <bz+nanae@ch100-5.chem.lsu.edu> wrote in
> news:Xns949E6951DE45DWQAHBGMXSZHVspammot
e@130.39.198.139 right after
> begin :
>
>
> Actually, the hard drive won't even spin up, the CD-ROM won't eject...
> Essentially, the only thing that it will do is turn the pilot light on
> and off.
>
> It's a very expensive, very dim night light.
>

That would be a challenge to work on, for sure.

There is a company in canada that will fix hard drives and recover data.
I don't know if she had anything worth their price, or not. No charge if
no data.

There are a few things I would try, if I had the computer in hand.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

Uncle StoatWarbler

2004-02-29, 7:34 pm

On Sun, 29 Feb 2004 22:19:02 +0000, bz wrote:

> There is a company in canada that will fix hard drives and recover data.

A 2.5" to 3.5" adaptor is a lot cheaper and faster if the drive works.
Recovery companies are the next step.

2004-02-29, 8:34 pm

Uncle StoatWarbler <alanb+google5@google5.manawatu.net.nz> wrote in
news:pan.2004.02.29.23.59.35.398246@google5.manawatu.net.nz:

> On Sun, 29 Feb 2004 22:19:02 +0000, bz wrote:
>
>
> A 2.5" to 3.5" adaptor is a lot cheaper and faster if the drive works.
> Recovery companies are the next step.
>
>
>

Quite right. He said it wouldn't spin up, but I should not have assumed that
the drive was really bad.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu