Have trial version and WG took on a nasty biggie, namely, "Sobig". This worm instantly corrupted my Norton AV and denied access to quarantine the worm. :( But, fortunately I have AVG also and it quarantined the worm. This worm did a freeze on Norton rendering it inoperable. However, Sobig corrupted 2 files in my System Restore. [have WinXP] I downloaded the Removal Tool from Symantec, ran it several times adhering to instructions; unistalled & re-installed Norton. I disabled my System Restore and ran the removal tool twice. All scans came out "clean" by AVG & Housecall & SobigFix. But, WG did it's thingie too but action taken did not show up on my screen when infected. As I was attempting to access SYSTEM RESTORE, WormGuard flashed this at me "Warning: For Security reasons this file has been blocked from executing". Okay, well & good but how do I deal with WG at this stage? Is it safe click on WG to allow files to run since I have run the removal tool after disabling SYSTEM RESTORE. ??? Reason I ask is that this worm has the ability to re-instal itself again. >:(

Hmmm
Hi Peaches4u, sad story.
How did the thing come on your system in the first place and how was it able to run and infect you? If you have WG installed you should have had a warning of blocking a nasty and why.
If you have NAV with the email scanning and protecton loaded, NAV should have quarantined it before running and infecting, so it should not have been able to disable NAV,
and if you have ZAPro (zone alarm pro version) it's email safe should have renamed and quarantined the worm too, while clicking the infection from an email should have made popup the ZAPro warning, if still insisting to run it the WG warning wiht possibility to look at the file in the safe mode should have been there, and i'm not sure what NAV would have done, all before the nasty could ever have been running and infecting at all!
So how could it?
If you have TDS installed with exec protection that last one would have determined nasty code and disabled the running another time, and i don't know what your AVG does in the meantime.


I wonder if you have WG why it did not block before infecting you, was there not any warning to stop it?
If you found the filenames it's trying to execute, not the wormname itself, add this/those in the field on the right for blocked files to start with.
If WG is warning it is there and if possible don't use that restore version.
I'm not all familiair with the restore function, so i hope others jump in here, thought it was something like reboot and a new clean restore will be made, hope this is correct, and i don't know exactly if for this reboot the restore must still be disabled or enabled, so with this infection i'm not 100% sure, waiting for people who really can tell this with all certaintly.
You seem to have WG properly installed and enabled, as it does give you warnings now fortunately.
If you have no TDS yet, have a trial and update with the latest radius and scan all there is on highest sensitivity another time, even after your reboot and system restore to be all sure.
With the system restore you could also have gone back to a point you were sure to be before the infection, btw, but ok, you are this far and clean already.
I suppose the registry keys have been cleaned out by the SobigFix tool as well?

Peaches4u, Jooske is corect in asking how you got this Worm. As for the System restore function in XP - Most AVs / AT's cannot scan inside the file - WG is detecting Sobig when it is accessed by the systm restore function. I sounds to me as though you or another user may have inadvertantly installed an email attachment, having said that reading below it looks like it can change or new variants can be created & this may also be the problem.

I am not familiar with this worm but did find the following info'

[q]Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the e-mail address -big @ boss.com-" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The e-mail contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie_0074.pif".

It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread.

When the attachment is clicked on, it runs a program that searches for files containing e-mail addresses and uses these to send infected e-mails. It also connects to a Web site and downloads a text file containing another Web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC.

If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders.[q]

:'( The infection must have occurred when doing my email. Oh yes, both AV programs flashed on my screen - Norton froze and AVG picked up the worm and automatically quarantined it. I may have opened an email from a usual contact - this contact having an infected machine and the worm sent itself to me. I never open anything from unknown sources.
For starters, I have ZoneAlarm [freebie], Norton 2002 version and AVG [freebie] AV, SpyBot, Ad-aware; SpywareBlaster, SpywareGuard and WormGuard. How it got past all this is beyond me. SpywareGuard gave no warnings on the screen even though it is set to do so. I have my Outlook configured to block all mail & attachments with the following extensions: vbs; shs; pif; scr; txt; wsh; hta; sha; jse; eml; html; htm; wab; so am surprised a "pif" came through. My preview pane is closed and I only open it from my Toolbar when I am confident that it is from my regular contacts. My OE is set to warn me if mail unauthorized mail is sent. Today, mail I was sending halted and in the details area it said "warning"! Sounds to me like the worm still resides. I did an AVG scan - all clean. No warning came from WormGuard.
One of my contacts must have the worm in their computer which sent itself to me but which one? I am at the stage when I see an attachment clip, I simply delete without opening - or I will sometimes email back asking the contact if they sent same to me. I am now also going to start deleting all forwards which in my opinion, originate from sources often unknown to me.
WormGuard is still not allowing my system restore to run.
SobigFix can scan and repair System Restore -
About System Restore in WinXP, Windows prevents System Restore from being modified by outside programs, including antivirus programs or tools cannot remove threats in the System Restore folder. As a result System Restore has the potential to restore an infected file onto your computer even after you have cleaned the infected files from other locations. In some cases, online scanners may detect a threat in the System Restore folder even though you scanned the computer with an AV program and did not find any infected files. So is WormGuard is not allowing system restore to run, how can the worm restore itself and get out? However, SobigFix from Symantec is supposed to clean out System Restore and repair the files - I ran the tool and everything checked out okay - I did it several times.
I have checked my registry for any unusual entries named by Symantec - there are none. Going back a step or two, after I had first done the SobigFix & because it was late I signed off the internet and tackled SystemRestore with SobigFix after reading my email. Worst luck would have it I got hit with the worm a second time. The worm must have restored itself or came through as an email. My AVG anti-virus scan nabbed it a 2nd time and quarantined it. So how did it get past WormGuard? There was no warning from WormGuard! Ahrrrr!!!! Norton came on the scene again but froze on screen "access denied" was the message. Oh, there was nothing unusual in the subject lines and most certainly none that I have searched in my deleted mail [all 563 emails - plus the 85 I have yet to read] that was mentioned by Philli.

It may well be that my Outlook Express is also corrupted. My Outlook Express is not functioning properly....I have problems sending mail and incoming mail seems to gag. Yet, I can't find anything so possibly I may have to uninstal Outlook Express and re-instal it again.... What say you all?
I have been especially careful to run a "tight ship" and have been advising my contacts to please do so and to visit these forums to learn as I did. Well, you can lead a horse to water but you can't make them drink! If I sound frustrated, you bet I am!!

Hi Peaches4u,
May i first concentrate on the Sobig part here?
I might suppose the file would have been deleted or disinfected somehow, but restore is famous for putting back infections, unless you do a reboot, after which you manually make a new restore point from the now clean situation.
I suppose you did so, right?
Is it possible to delete infected older restore points, if not all to gain disc space?
Not sure how the infected code in there looks like after that fix, as it seems not deleted nor made completely unexecutable as it runs fine again once you allow that restorepoint to be used. WG sees that kind of code, executable or not, so you will get that alarm, till you have a new clean restore point.


For the email scanning/attachments:
Your free ZA only scans for VBS.
The pro version scans also on exe, com, url, bat, chm, cpl, hta, ins, isp, jse, js, mda, mdb, mde, ade, adp, mdz, msc, prf, dhx, nch, pcd, reg, scr, crt, inf, shb, shs, pif, lnk, vbe, vb, vbs, bas, mst, scf, msi, msp, asx, wms, cmd, sct, wsc, wsf, wsh, hlp
So you might like to add all your email scanner settings can handle.
Which of your programs does the email scanning?
If your NAV froze in stead of blocking the file, there is something wrong:
Did you have WG installed and enabled that moment already?
If there is a warning, NAV quarantining the file, maybe a warning about what happened and your system brought into safety, so you can work on, but with your updated system and WG installed the file never ever should be able to run without all the proper configured defence tools.

You might like to do a repair install for IE in which OE is included:
first of all close all the av/at except WG/TDS.
controll panel > software > add/remove, hunt for the MS Internet explorer > 1x click add/remove, you should get a popup with among others an option for a rep, which you do (is just a second) best reboot after that.
If you can't you get a warning and you'll have to do a new install on the update site, for IE, which will just copy the missing files and in a few moments you're complete again. Might have to reboot and look at the OE settings if it's working properly now.
Maybe it doesn't like two or more scanners blocking it, could be NAV and AVG were fighting over the file detection ending up infecting you anyway.
I never run two av/at programs at a time.

Peaches4u, Jooske gives good advice, there are still a couple of things that bother me though.
1. Sobig can call for or have a Trojan attached so when you start up your PC this Trojan could be phoning home & re-installing Sobig, the Trojan may also be able to screw up Norton but AVG is catching the Sobig re-install. This may depend on your Internet connection, if you are a cable/ADSL user on 24/7 then this "possible" Trojan is starting it's actions when your PC is connected. You sound as if you are very careful with your PC security so I must assume that you have your firewall set up correctly etc.
2. In XP you can delete all the restore points from the Help & Support Centre, so maybe deleting all the current restore points & then after cleaning out sobig again create a new restore point called "Clean" whilst disconnected from the internet. Restart your pc & restore using the restore point "clean" that you created.

Not sure if this will help but maybe, just maybe, it will - Pilli

:'( Wow, from what you just said, I think I shall get the paid version of ZoneAlarm - well worth it. Thanks Jooske I shall follow your instructions re IE. & other recommendations. Now regarding system restore, and Sobig, I did not do a reboot as it was not mentioned in the Symantec instructions. :-[ I did not set a new restore point [wow so much to learn about the restore feature as I had never had cause to deal with it. :(] Shall have to figure out how it is done.

Regarding Outlook Express, I think I have found the culprit and it has nothing to do with the worm. ;D Did an Ad-Aware scan rather than SpyBot, thinking perhaps some spyware got through and I find a Data Miner [quarantined it] which is a RedSherrif Tracking cookie. I learned it resides in java applets ..... this led me on the hunt and to this site: http://www.wilderssecurity.com/archive/index.php?board=34;action=display;thr - I believe it might be just as simple to put this nasty into my restricted sites but I first have to study and comprehend info from this site: http://www.spywareinfo.com/yabbse/index.ph...y;threadid=2239....... oooooh, not tonight as I wiped. Maybe you can leave me some suggestions to save on a lot of searching.

Anyway, suddenly my email is working as it should be after the quarantine. Thanks Jooske for your help, you are the best. ;)

About XP System Restore (http://www.extremetech.com/article2/0,3973,10916,00.asp).

Regards,

Pieter

Glad it all worked out fine.
Guys thanks for the system restore info, as i'm not using it myself, i'm glad you correct these important gaps!
Saves people of deleting and deleting again :)

Peaches - A few points occur to me that haven't been mentioned so far.

(a) You said: "I never open anything from unknown sources." It doesn't really matter whether you know the source or not - known sources are just as likely to be infected as unknown sources (and I'm a little confused by the fact that the description of the worm says that the sender name is always "big@boss.com" - unless of course, you know someone by that name! :) ). Not to mention the fact that many of today's virii, trojans and worms will come to you looking like they were sent from someone you know, even though that's not actually the case (their email addresses get picked up from various people's address books - whether or not those individuals are actually infected or not, the malware will still appear to be coming from them).

(b)SpywareGuard isn't going to warn you about something like what you experienced - it's not an AV or an AT program, it's strictly for "spyware" not malware (ditto for AA, SBS&D and SpywareBlaster).

(c) I never recommend use of the "Preview Pane" at any point during OE usage - I simply don't trust it due to its' penchant for letting things run automatically that shouldn't be allowed to run. If you want to "preview" your email, use MailWasher (I also use Benign, by the same company that makes MW - both can be found at http://www.firetrust.com).

Also, as far as your OE settings go, when you go to Tools/Options in OE, do you have (on the "Security" tab, under the "Virus protection" heading) "Restricted sites zone (More secure)" checked? If not, you should. (And you should have all your "Restricted Zone" options set to "Disable"/"High' ). You might want to think about putting a dot in the radio button in front of "Do not allow attachments to be saved or opened that could potentially be a virus" - I don't do that (it's a PITA), but it would have nipped your problem in the bud.

(d) What version of OE are you running? When I click on Help/About Outlook Express in OE, mine says "6.00.2800.1106 (xpsp1.020828-1920)" - what does yours say?

(e) You said: " I have searched in my deleted mail [all 563 emails - plus the 85 I have yet to read] that was mentioned by Philli." Was that a mis-statement? Or do you really still have all your "deleted" emails in the "Deleted Items" folder? If so, why? You need to empty it if that's the case, because loading up any of your folders in OE will eventually cause irreversible corruption of OE.

(f) You said: "I have AVG also and it quarantined the worm." Okay, does the free version of AVG let you delete the quarantined worm from there, too? Seems like you'd need to get rid of it from there, also, to get it completely off your system, "quarantined" or not.

(g) If your Norton 2002 was fully up-dated (both engine and definition-wise) at the time of the infection, I really don't understand that, either (does anyone know if installing N2002 to a non-standard location, or changing the name of its' exe, would have helped keep it from being knocked out?). It also raises the question in my mind of whether the fact that you have two AV's running resident at the same time might have come into play and defeated Norton's ability to deal with it properly.

Disabling System Restore: http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It's one of those "given" things that it's standard procedure to re-start the computer after making changes, be it deleting something, installing something, un-installing something, etc.

It's another one of those given things, when you're dealing with an infection of any sort, that you get all your "dis-infection" info together, print it out, get offline (whether you have to un-plug the phone line or the cable modem line or whatever ), then do the "fixing", then re-start the computer (while still offline).

Okay, my brain's fried and I'll hush. Hope something in here helped. Pete

Nice one Spy1 - You could edit it slightly and make it into the start of a tutorial ;D One karma cookie from me - Enjoy!

{QUOTE-> quoting: spy1 link=board=6;threadid=8548;start=0#55590 date=1050759091]Peaches - A few points occur to me that haven't been mentioned so far.

(a) You said: "I never open anything from unknown sources." It doesn't really matter whether you know the source or not - known sources are just as likely to be infected as unknown sources (and I'm a little confused by the fact that the description of the worm says that the sender name is always "big@boss.com" - unless of course, you know someone by that name! :) ) <-QUOTE}
Reply: Pete - I checked all my deleted mail and no where was there an email from "big@boss.com" nor any email that contained any of the words used by Sobig in the subject line. Strange!!


{QUOTE-> Not to mention the fact that many of today's virii, trojans and worms will come to you looking like they were sent from someone you know, even though that's not actually the case (their email addresses get picked up from various people's address books - whether or not those individuals are actually infected or not, the malware will still appear to be coming from them). <-QUOTE}
Reply: Well, I think that is how the infection happened. I traced it down to 3 possible contacts for that day. One I am sure was okay and the other two are questionable as I know they have no spyware protection, etc. Both had "sick" computers, as they put it, prior to this infection.


{QUOTE-> (b)SpywareGuard isn't going to warn you about something like what you experienced - it's not an AV or an AT program, it's strictly for "spyware" not malware (ditto for AA, SBS&D and SpywareBlaster). <-QUOTE}
Reply: True, however, SG did react in the background and I am grateful for it.


{QUOTE-> (c) I never recommend use of the "Preview Pane" at any point during OE usage - I simply don't trust it due to its' penchant for letting things run automatically that shouldn't be allowed to run. If you want to "preview" your email, use MailWasher (I also use Benign, by the same company that makes MW - both can be found at http://www.firetrust.com). <-QUOTE}
Reply: I do have my preview pane closed and only open it from my toolbar occasionally. Yeah, I do get lazy from time to time... :-[ I have also written about this in my Club newsletters as I do a wee column on tips & stuff of interest.


{QUOTE-> Also, as far as your OE settings go, when you go to Tools/Options in OE, do you have (on the "Security" tab, under the "Virus protection" heading) "Restricted sites zone (More secure)" checked? <-QUOTE}
Reply: The answer is "Yes" but will re-check it again.


{QUOTE-> If not, you should. (And you should have all your "Restricted Zone" options set to "Disable"/"High' ). <-QUOTE}
Reply: Checked and it is set on High.


{QUOTE-> You might want to think about putting a dot in the radio button in front of "Do not allow attachments to be saved or opened that could potentially be a virus" - I don't do that (it's a PITA), but it would have nipped your problem in the bud. <-QUOTE}
Reply: It is set that way but can't remember just when I did it but believe it was "before" the infection & case scenario with my neighbor. Thinking back, I believe I shut mine down after my neighbor had problems with an open preview window by getting several virus infections last Fall. However, that is not to say that I may not have forgotten and left mine open after sorting through my mail before deleting. It could have happened??????????


{QUOTE-> (d) What version of OE are you running? When I click on Help/About Outlook Express in OE, mine says "6.00.2800.1106 (xpsp1.020828-1920)" - what does yours say? <-QUOTE}
Reply: It is the same: 6.00.2800.1106[xpsp1]0208-28-1920


{QUOTE-> (e) You said: " I have searched in my deleted mail [all 563 emails - plus the 85 I have yet to read] that was mentioned by Philli." Was that a mis-statement? Or do you really still have all your "deleted" emails in the "Deleted Items" folder? If so, why? You need to empty it if that's the case, because loading up any of your folders in OE will eventually cause irreversible corruption of OE. <-QUOTE}
Reply: Well we were away and as I get an average of 50 plus emails daily, it built up whilst I was trying to catch up. I have finally emptied the folders, did maintenance, so okay that way. However, as previously stated I think that it was RedSherrif [data miner] that was causing my OE to misfunction because after Ad-Aware quarantined it, & I deleted it, my OE is working fine... so, I would guess that Sobig did not have enough time to do damage there. It seems like everything was happening at the same time.


{QUOTE-> (f) You said: "I have AVG also and it quarantined the worm." Okay, does the free version of AVG let you delete the quarantined worm from there, too? <-QUOTE}
Reply: Yes, it can be deleted manually or set to be deleted automatically after "X" number of days in quarantine. I did a manual delete instantly.


{QUOTE-> Seems like you'd need to get rid of it from there, also, to get it completely off your system, "quarantined" or not. <-QUOTE}
Reply: Did that immediately after I ran the removal tool along with internal & external [namely, housecall] scans.


{QUOTE-> (g) If your Norton 2002 was fully up-dated (both engine and definition-wise) at the time of the infection, <-QUOTE}
Reply: Although I have Norton set to update automatically as well as AVG, I do not trust that completely as I am not always online. I check manually like every other day or sooner but never later unless I am away but even then as soon as I return & sign on, I check for updates for everything that needs it. However, I do get busy and sometimes am not able to stick to my schedule.


{QUOTE-> I really don't understand that, either (does anyone know if installing N2002 to a non-standard location, or changing the name of its' exe, would have helped keep it from being knocked out?). <-QUOTE}
Reply: Pete, I believe J.S. Exploit also knocks out Norton. I think I read that somewhere and I think, if memory serves me, that a friend had it knock out their Norton. My neighbor has only Norton and picked up Sobig last year [twice] and it knocked out her Norton also. She also picked up Yaha. Actually, she was in such a mess at one point she could not sign on the internet, or do anything so I downloaded the tools on to a diskette along with printing the instructions and gave them to her. Her OS is WinXP & Norton 2002. So perhaps Sobig was enhanced to do so in order not to be blocked. She also had Klez around the same time. Eventually she had to pay a pro to clean it up for her. I have since discussed security with her and to close her preview pane but she is hard to convince. What can I say??


{QUOTE-> It also raises the question in my mind of whether the fact that you have two AV's running resident at the same time might have come into play and defeated Norton's ability to deal with it properly. <-QUOTE}
Reply: From a discussion board I visit fairly often, many run both and found no interference. In my case, if I remember correctly Norton came on the scene first because that is when I tried to quarantine the worm and it froze with access denied. AVG came on screen on top of Norton and did the quarantine automatically.


{QUOTE-> Disabling System Restore: http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

It's one of those "given" things that it's standard procedure to re-start the computer after making changes, be it deleting something, installing something, un-installing something, etc. <-QUOTE}
Reply: Thank you, I shall check out the sites and print out the necessary details. Ah, I have learned something new re the re-start of the computer. I admit I fail here as I only did the re-start when prompted. :(


{QUOTE-> It's another one of those given things, when you're dealing with an infection of any sort, that you get all your "dis-infection" info together, print it out, get offline (whether you have to un-plug the phone line or the cable modem line or whatever ), then do the "fixing", then re-start the computer (while still offline). <-QUOTE}
Reply: :-[ Well, I erred in not working offline on a restart. Yes, I did print out the removal instructions as well as how to disable & enable restore before dealing with the infection. No way on earth I would be able to remember all the details. I am on cable and it is a real pain to get to the back of the CPU to disconnect. Big time error here.


{QUOTE-> Okay, my brain's fried and I'll hush. Hope something in here helped. Pete <-QUOTE}

- Fixed the YABBC tags that caused a page format problem - LWM

You will like to read in the TDS Helpmanual the "Hunting unknown trojans" , very instructive.

WG protects you from nasty website stuff entering and activating on your system as well, together with your other security settings.

Jooske, Hopefully we will be beta testing WG4 soon which will feature regular incremental updates etc + it's already formidable heuristics from WG3 will give us even better protection against all these Nasties!

:-* Thanks everyone for all the good advice. I have no doubt I will purchase WormGuard but will wait for the newer version. Whatever it does, it does well. :) It was proven to me. Pete has recomended SPYAD and shall have it installed today. Actually my little episode was a great learning experience for me - I feel so much smarter. :D Sweet peaches to all of you.

Thanks for the peaches Peaches4u.
For WG: if this works fine for you, i would not wait for the newer version, as registered users will be upgraded for free, so all this time you know yourself well protected. But do enjoy your evaluation time with it anyway, till you decide to keep it and i hope the newer version is then even closer. Seems really round the corner for beta testing, depending on our finds it can take a few weeks or a little bit longer so keep an eye on our messages :)

You might like to grab the new free AutostartViewer to look what's all running --it will take a little while to know what is all that, especially on your XP with all the services, but curious as i can be about the system, i like to know. Nothing to install, just upzip it somewhere you like and start it to have a look!

You have the spy-detection tools, av/at, wg, the whole lot and your growing experience.
Port Explorer you did look with already for possible connections, so with the whole DCS tools kit you really have something in hands for new layers of security.
And from there all the joy and fun!

:'( I am banging my head against the wall again. I disabled my system Restore in WinXP and did the scan again with the FixSobig tool and it reported that nothing was found. Okay, so then I proceeded to set a new restore point but in order to do so I need the Help & Support feature. When I click on it, I get the message that it is not valid - so I could presume that the worm damaged this file. Is there another way I can get around this? I did a disk cleanup including Restore but still WormGuard is stopping System Restore from running. I changed WormGuard to allow SR to run after I did the scans which showed "no infections" but it is still disallowing the file to run. Where to from here? I did a C&P of the details of the file, if one wishes to view what is in there I can post it - I don't understand anything there - oh boy, talk about feeling stupidly frustrated :'( Am a messy peach right now. :(

Hi Peaches,

If this is the message you are getting...

http://www.wilderssecurity.com/attachments/hepsupp.gif

then take a look at this thread regarding possible causes and solutions to this problem...

http://www.wilderssecurity.com/showthread.php?t=3705;start=45

Also, to run the interface to System Restore directly, you can enter this in the Start menu > Run... box:

%windir%\system32\restore\rstrui.exe

HTH,
LowWaterMark

Did you disable SR > reboot > enable SR and from there try to make the new SR point?

To LowWaterMark - yes that is exactly the message. I have read the fix and printed it out so that I can follow it step by step. Hope it works .... thanks also for the tip in getting into system restore....

To Jooske - To be honest I cannot remember if I rebooted or not as I was going step by step from Symantec instructions which did not include a reboot. - I will repeat the process and make sure I do the reboot bit & have made note of it in case I ever needed the info again - heaven forbid. :-[

For LWM - To help restore Helpctr.exe in windows I got as far as "pchealth" but it did not have .inf added [searched everywhere] so I right clicked on PCHealth but no instal to click on. :o Where to now?

When dealing with REG_EXPAND_SZ this is what it showed:
Temp: %SystemRoot%\TEMP
IMP: %SystemRoot%\TEMP
Windir: %SystemRoot%

Under Value data, I typed in C:\\Windows and it replaced the existing Windir. Trying to a new Windir simply gave the message [already exists]. It now reads Windir: C:\\Windows. Is this okay?

Jooske - I redid the whole process and this time I did all the rebooting - no mistake about it this time. ;D

Hi Peaches,

Okay, in the C:\Windows\Inf\ folder there was no file called "pchealth.inf"? See image below (note, on my system, my Windows folder is actually WinNT, but it is the same thing.) Were there any files in the 'Windows\Inf' folder?

You said > "so I right clicked on PCHealth but no instal to click on" - Where, which PCHealth, in what folder? What was it's file extension (PCHealth.XXX)?

Also, Gavin's instructions were these:
{QUOTE-> Helpctr.exe not responding - Go to Start/Run and type in: Helpctr.exe. For some users this has restored the functionality in the Start Menu.

If the above didn't help:

Check your settings here: Go to Start/Run/Regedit and navigate to this key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment

In the right pane if windir is listed under type as REG_SZ, it needs to be changed to REG_EXPAND_SZ, Value Data: C\Windows.

If this is the case:

Go to: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment

Right click on Environment, then choose Export, name it and save it. Then go to the right pane, right click in an empty area and choose New/Expandable String Value. Name it windir. Then double click it and under Value data, type in: C:\WINDOWS

From there, right click and delete the windir which type was listed as REG_SZ then hit refresh (F5).

To reinstall Help and Support: Go to C:\Windows\inf\pchealth.inf
Right click and choose install. Have your CD handy.

Note: The folder is hidden by default. Go to Start/Run and type in: control folders. View: Show hidden files and folders and uncheck Hide extensions for known file types <-QUOTE}

Was the Windir value actually a "REG_SZ" or was it already a "REG_EXPAND_SZ"? That was the key issue there. The circumstance where the "type" of the value was incorrect. That may have been the cause of the issue. Otherwise, if it was already a REG_EXPAND_SZ - it was already okay.

You said > "I typed in C:\\Windows and it replaced the existing Windir." The instructions said to create a new 'windir' not change the existing one. Also, is "C:\\Windows" a typo? Did you actually mean "C:\Windows" (with only one slash)? That's what was above.

Did you do the Export function (noted above) first, to save the original settings?

I'll post a second image (it'll be in the next post) of what my values look like in that section (below). If you can make your list there look like the image below, that would be correct.

Here's what that section looks like in my Regedit...

My registry is identical except for the following exceptions:
Classpath ....... this item is not in my registry
Processor Revision ......... 0300 as opposed to yours
Processor Identifyer ..... Model 3 as opposed to yours.
Answers to your questions:
1. REG-EXPAND-SZ was always there - an oversight on my part by not typing it in my post. Apologies .. :-[ I did restore windir to its orginal state.
2. I did a typo when referring to "C".
3. Registry disallows another "windir" & requests a different name in order to add C:\Windows under Value data.
4. Yes, I did do the Export function.
5. I hit a brick wall at this stage: "To re-instal Help & Support go to C:\Windows\inf\pchealth.inf"
6. I did a printout of the instructions and followed step by step but am missing something like fully understanding what I am doing.... :(
7. WG will not allow System Restore to run short of uninstalling the program. I tried to set a new restore point prior to the worm but no deal, it would only set a restore for today which I believe would be useless as it is after the infection.

Comment: If I go into My Computer, then on "C" , then click on Windows, click on PC Health, "helpctr" is there . When I click on helpctr, there are several folders but found the following are empty: Should they be?????

Batch; System_OEM; Help files; Installed SKU's; Temp.

That's it for today as I have been virtually glued to this chair - shall veg out and watch TV. :D Will check this board again in the morning with a fresh mind.

{QUOTE-> quoting: Peaches4U link=board=6;threadid=8548;start=15#56585 date=1051248251]My registry is identical except for the following exceptions:
Classpath ....... this item is not in my registry
Processor Revision ......... 0300 as opposed to yours
Processor Identifyer ..... Model 3 as opposed to yours.
.
I did restore windir to its orginal state. <-QUOTE}

Okay, good. Your entries there are all okay then, so that is not the problem. By already being a REG-EXPAND-SZ, there was nothing wrong with your windir. Good! :)
{QUOTE-> ... 5. I hit a brick wall at this stage: "To re-instal Help & Support go to C:\Windows\inf\pchealth.inf"
.
.
Comment: If I go into My Computer, then on "C" , then click on Windows, click on PC Health, "helpctr" is there . When I click on helpctr, there are several folders but found the following are empty: Should they be?????

Batch; System_OEM; Help files; Installed SKU's; Temp. <-QUOTE}

Yes, that's fine. The main Help programs and dll files are in the \Binaries\ folder. (I have 11 files there - .exe's .dll's and a .cab file.) If you have a similar amount, then it sounds like you probably have all the files, and the environment variables are also okay from what you said above.

The thread referenced above had another very important thing noted - the existence of 0 KB files, all with the same name as key programs (helpctr.exe, notepad.exe, etc.) These files "get in the way" of running the real programs and are a problem. You may want to look around to see if you have any of those.

Question: When you go thru the folders noted above... C:\Windows > PCHealth > HelpCtr > Binaries - Can you see HelpCtr.exe? Is it about 676 KB in size? Can you double click it, and if so, will that start the Help & Support Center? If that works, but the Start menu > Help and Support link doesn't, you may have the same problem as others have described in that other thread.

For myself, I've never had the 0KB file problem, so I don't know any more about how to fix it than what is referenced in the other threads in the DCS sections here. If that is the problem here, then somewhere on your system is probably a file name "helpctr.exe" at 0KB and perhaps that is causing the problem.
{QUOTE-> That's it for today as I have been virtually glued to this chair - shall veg out and watch TV. :D Will check this board again in the morning with a fresh mind. <-QUOTE}

Good idea. It's best to do these things when you are rested. ;D

Start fresh tomorrow and there will be people here to help. :)

Peaches for you, You could also use a shortcut from the desktop:

Go to C:\Windows\PCHEALTH\HELPCTR\binaries\ In that folder you will find helpctr.exe ( should be about 744K in size) - Right click it and select "Create a shortcut" once the shortcut is created cut and paste it to your desktop or wherever is most convienient for you.

This is just another method which requires no registry hacking but, of course, your normal "Start - Help & Support" icon still will not work. ;D

HTH Pilli

:'( Here goes nothing ...
1. I have 15 files in helpctr = 24.4 MB [seems large]
2. When I double click on helpctr.exe the Help & Support page comes up and promptly freezes on me. The Restore has a little red "do-dad" and if I click on it Wormguard comes up with the usual message that file is being prevented from running.
3. I did a Ctrl, Alt, Delete and the Task Manger came up .. it registered that Help & support was running [strange if it was in a frozen state & still is]; Wormguard is running as well as SpywareGuard which is running.
4. In binaries I have 13 files 135 kb.
5. Nothing unusual about any of the files as far as I can determine.
6. Shall now hunt for 0 KB files especially helpctr.exe

A light bulb just lit up. ;D Decided to check my firewall just now to see how help & support was configured.... ah, ha - it had ????? [interesting] so I checked it to access the internet and now I will go back and try to see if things will work this time. Will report back. 8) Keep your fingers crossed that this is a solution.

And yes, I did read the other forum you suggested and will go back re the 0 kb files & study it some more.

:'( :'( :'( Well it is not the firewall causing the problem. That settled that!! While exploring Local Disk C, I found a Quarantine file so I peeked to see if anything was in it. You bet & this is what I found: rstrui.exe.analysis.txt and rstrui.exe.txt - So, I clicked on the Analysis. txt and up comes WormGuard advising me of the same warning I get when I try to activate system restore.

Have gone back to the site recommended and have done some reading - now I shall do a bit more probing and see if I can come up with something positive. :)

I probed Win32 files to see what is there and helpctr.exe is in there so it would stand to reason the message we have been getting should not happen.

What could possibly happen if I allowed WormGuard to allow the Restore to run? When I disabled Restore and did the symantec FixSobig scan, it came up clean so maybe the tool fixed the infected files within. I don't know, just wondering if I should try this. :-\

What exactly is the WG message?
You mean you can't make a new restore point either and start wityh that, deleting all the older restore points if you succeed in creating a clean one?
I don't run XP so glad others are able to help with those specific folders.
If you have a TXT fiel with those two or three extensions i guess WG will tell you with an alert for dual extensions; you have the option to view in safe mode what's in it, and as it's a txt file i suppose it being readable that way. So no need to run it, just look.

I don't know if the fixcode itself is alerted on or the code itself is inthere and made unexecutable (which i suppose) and thus WG will keep alarming till you finally get rid of that restorepoint at all. Delete away, off your system. Infections are not holy to be kept unless your a security developer and need them in your test database. All others should just remove them in every way your software allows you to.

Peaches4u, I have a feeling that there may be a more basic problem in the system files so if you have not already done so would youyou please try this:

Defrag your Windows drive. This will ensure that your hard disk has no damaged or dfragmented file. If defrag willl not rum you will need to Start - Run Type "chkdsk /f" without the quotes then press return XP should then say that this operation will be performed upon reboot.
ChkdskCreates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk. Used without parameters, chkdsk displays the status of the disk in the current drive.

Both command syntaxs below are from the XP help file.

Syntax
chkdsk [[Path] FileName] [/f] [/r] [/x] [/i] [/c] [/l[:size]]

Parameters
volume:
Specifies the drive letter (followed by a colon), mount point, or volume name.
[Path] FileName
Specifies the location and name of a file or set of files that you want chkdsk to check for fragmentation. You can use wildcard characters (that is, * and ?) to specify multiple files.
/f
Fixes errors on the disk. The disk must be locked. If chkdsk cannot lock the drive, a message appears that asks you if you want to check the drive the next time you restart the computer.
/v
Displays the name of each file in every directory as the disk is checked.
/r
Locates bad sectors and recovers readable information. The disk must be locked.
/x
Use with NTFS only. Forces the volume to dismount first, if necessary. All open handles to the drive are invalidated. /x also includes the functionality of /f.
/i
Use with NTFS only. Performs a less vigorous check of index entries, reducing the amount of time needed to run chkdsk.
/c
Use with NTFS only. Skips the checking of cycles within the folder structure, reducing the amount of time needed to run chkdsk.
/l[:size]
Use with NTFS only. Changes the log file size to the size you type. If you omit the size parameter, /l displays the current size.

For the next part you will need to have your original XP installation CD.
You must be logged in as a member of the Aministrators group:
Open the Start - Run and type in "SFC /scannow" without the quotes. This will This is from the XP help file:

System File Checker (sfc)Scans and verifies the versions of all protected system files after you restart your computer.

Syntax
sfc [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]

Parameters
/scannow
Scans all protected system files immediately.
/scanonce
Scans all protected system files once.
/scanboot
Scans all protected system files every time the computer is restarted.
/revert
Returns the scan to its default operation.
/purgecache
Purges the Windows File Protection file cache and scans all protected system files immediately.
/cachesize=x
Sets the size, in MB, of the Windows File Protection file cache.
/?
Displays help at the command prompt.
Remarks
You must be logged on as a member of the Administrators group to run sfc.
If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.
If the %systemroot%\system32\dllcache folder becomes corrupt or unusable, use sfc /scannow, sfc /scanonce, or sfc /scanboot to repair the contents of the Dllcache directory.
Formatting legend

Phew! If all of the above completes OK then at least we will have a level playing field to work on. ;D

Pilli

Hi Philli - Well, I did defrag just a few days ago and computer is running at 100% optimal. I also did the scan disks, and no errors found. So, another bulb lit up. I am going to forget trying to get Help & Support to work for now. What if I did this: Start/All Programs/ Accessories/System Tools/Disk Cleanup. Click the More Options tab, and then click the Clean up botton in the System Restore section? Would this not clean out the worm corrupted files and a new restore date would set itself as of date of purging? Presumably if the Restore file is empty, WormGuard will no longer have to protect it from running - nothing there to protect. The fact that I had to turn off SR when I was scanning/ cleaning with FixSobig tool, turning it off wiped out all other existing restore points. This would explain why I could not go back to a date prior to the infection. By doing this SR would take a new clean snapshot as of the day the cleaning was done. This would create a clean restore point. WormGuard would go away. Then my Restore feature should be functional again or will it. Do I make sense? :-\

I am going to print out your suggestion and read it over carefully as I am not sure I fully understand it and then give your suggestion a try. But first I am crawling back between the sheets for a few more hours of shut eye ... this thing is giving me insomnia.... ::)

I truly appreciate all the help and advice I have been getting so a big thanks to all who have responded.

Hi, I believe disk clean up with the option you stated will delete all the restore points except for the latest one. So it may be worth a try. If your happy using regedit you could also do a search for the any left over sobig registry keys & delete them if it made any? This is in case the other removal tools did not work properly on your system. If you do try regedit be sure to back up the registry first, others may suggest tools that can do this for you.

Philli - I did the System Restore clean up but there are still many files there. If I highlite them and right click my mouse and delete them [I viewed them through WormGuard and they are totally useless] Is this a safe thing to do? Perhaps then I can set a new restore date as of the date of deletion.

I am not comfortable editing a registry as I am not computer literate enough. I did browse through C Drive and found where the pif file was hidden [I now also know the contact who was used as a host]. The whole email was there. I deleted the file.I

Regarding the Help & Support [helpctr.exe] I have posted an S.O.S. on a different discussion board and hope someone there can come up with some knowledge as to why it comes up as not a valid Win32 application when in fact it is. Maybe someone there has figured out a fix. ;D I did read the discussion on this subject as you suggested and there was one solution there but I do not understand parts of it. :(

{QUOTE-> Philli - I did the System Restore clean up but there are still many files there. If I highlite them and right click my mouse and delete them [I viewed them through WormGuard and they are totally useless] Is this a safe thing to do? Perhaps then I can set a new restore date as of the date of deletion <-QUOTE}

Using XP's clean up should be OK, there will be IE cached files, temp files, history files etc. that can all be safely deleted.

{QUOTE-> I am not comfortable editing a registry as I am not computer literate enough. I did browse through C Drive and found where the pif file was hidden [I now also know the contact who was used as a host]. The whole email was there. I deleted the file. <-QUOTE}

Understandable, If you are not confident editing the registry it ould be better to leave well alone, or find a tool such as Ontracs system suite or Nortons System works that does a lot of the work for you and creates an easily retrievable back-up if you mess up.

Have you searched your hard disk for helpctr.exe? If you do you can safely delete all 0 byte size versions - AS I have heard that these can cause a problem.

We will not be defeated!!! ;D

Hey Philli - I did it, I did it!! ;D Gimme 5!!! I have Help & Support working. This is what I did: C:\Windows\PCHealth\helpctr\binaries and up she comes, all the help pages come up. I then created a shortcut to my desktop - tested it and it works. It may not be a perfect solution but if it does the job, so be it. ;)

Am still cautiously approaching my System Restore fix and searching for any other traces of the Sobig virus. I tell ya, when I get all this cleaned up, I won't get caught with my knickers down again. ;D but I shall be much wiser for it.
This is what is in my SR and want to delete the whole mess: What is in there that WormGuard is preventing from running?

FILE: c:\windows\system32\restore\rstrui.exe
SIZE: 370688 bytes
---------------------FILE BEGINS <Extracted Strings>---------------------
78: !This program cannot be run in DOS mode.
528: `.data
705: SHLWAPI.dll
717: ADVAPI32.dll
730: KERNEL32.dll
743: NTDLL.DLL
753: GDI32.dll
763: USER32.dll
774: SRRSTR.dll
785: ole32.dll
795: OLEAUT32.dll
808: msvcrt.dll
819: WINSTA.dll
6297: RestoreSnapshot
6313: CreateSnapshot
6329: ::DisableFIFO failed - %ls
6357: d:\xpsp1\admin\pchealth\sr\shell\extwrap.cpp
6405: CSRExternalWrapper::DisableFIFO
6437: ::EnableFIFO failed - %ls
6465: CSRExternalWrapper::EnableFIFO
6497: ::SRSetRestorePoint failed, status=%d
6537: CSRExternalWrapper::SetRestorePoint
6573: ::SRRemoveRestorePoint failed - %ls
6609: CSRExternalWrapper::RemoveRestorePoint
6649: Cannot create RPI Instance...
6681: Ignoring cancelled restore point
6717: CSRExternalWrapper::BuildRestorePointList
6761: Insufficient memory, cannot allocate RPI
6805: CSRExternalWrapperStub::BuildRestorePointList
6962: Insufficient memory...
6985: CreateSRExternalWrapper
8250: UnRegisterTypeLib
8297: Cannot initialize COM, hr=%l
8329: d:\xpsp1\admin\pchealth\sr\shell\frmmars.cpp
8377: CSRFrameMars::InitInstance
8554: Creating SRUI Instance failed - %s
8589: CreateSRFrameInstance
8613: CHCPMarsHost_Object::CreateInstance failed, hr=%u
8689: ::GetProcAddress failed - %s
8721: ::LoadLibrary('marscore.dll') failed - %s
8765: CSRFrameMars::InvokeMARS
8989: CComModule::RegisterServer failed, err=%l
9033: CComModule::UpdateRegistryFromResource failed, err=%l
9089: CSRFrameMars::RegisterServer
9121: CComModule::UnregisterServer failed, err=%l
9165: CSRFrameMars::UnregisterServer
11226: ::SystemTimeToVariantTime failed - %ls
11265: d:\xpsp1\admin\pchealth\sr\shell\htmlui.cpp
11309: ConvSysTimeToVariant
11333: ::VariantTimeToSystemTime failed - %ls
11373: ConvVariantToSysTime
11397: Invalid Argument, NULL input parameter
11437: CRestoreShell::get_Count
11465: CRestoreShell::get_CurrentDate
11497: CRestoreShell::get_LocaleFirstDay
11533: CRestoreShell::get_IsSafeMode
11565: CRestoreShell::get_IsUndo
11593: CRestoreShell::get_LastRestore
11625: CRestoreShell::get_MainOption
11657: Out of memory, cannot allocate string
11697: CRestoreShell::get_ManualRPName
11729: CRestoreShell::get_MaxDate
11757: CRestoreShell::get_MinDate
11785: CRestoreShell::get_RealPoint
11817: CRestoreShell::get_RestorePtSelected
11857: CRestoreShell::get_SelectedDate
11889: CRestoreShell::get_SelectedName
11921: CRestoreShell::get_SelectedPoint
11957: Index is out of range
11981: CRestoreShell::put_SelectedPoint
12017: CRestoreShell::get_SmgrUnavailable
12053: CRestoreShell::get_StartMode
12085: CRestoreShell::get_UsedDate
12113: CRestoreShell::get_CanNavigatePage
12149: CRestoreShell::BeginRestore
12177: CRestoreShell::Cancel
12201: Invalid Argument, V_VT(var)=%d is not expected type %d
12257: CRestoreShell::CompareDate
12285: CRestoreShell::CreateRestorePoint
12321: CRestoreShell::FormatDate
12349: CRestoreShell::FormatLowDiskMsg
12381: CRestoreShell::FormatTime
12409: CRestoreShell::GetLocaleDateFormat
12445: CRestoreShell::GetYearMonthStr
12477: hwndFrame is NULL
12497: CRestoreShell::SetFormSize
12525: CRestoreShell::CanRunRestore
12557: RA session present - not counting
12593: GetLoggedOnUserCount
12633: Loading IDS_ERR_OTHER_USERS_LOGGED_ON2 failed %d
12685: Loading IDS_ERR_OTHER_USERS_LOGGED_ON1 failed %d
12737: Loading IDS_RESTOREUI_TITLE failed %d
12777: CRestoreShell::DisplayOtherUsersWarning
12817: CRestoreShell::WasLastRestoreFromSafeMode
13081: Invalid Argument, out of range
13113: Cannot create RestorePointObject Instance, hr=%d
13165: QI failed, hr=%d
13185: CRestoreShell::Item
13205: Cannot QI IRenamedFolders, hr=0x%08X
13245: Cannot create CRenamedFolders object, hr=0x%08X
13293: CRestoreShell::get_RenamedFolders
13358: RP: '%ls'
13369: d:\xpsp1\admin\pchealth\sr\shell\htmlui2.cpp
13417: CRestorePointInfo::HrInit
13445: CRestorePointInfo::get_Name
13473: CRestorePointInfo::get_Type
13501: CRestorePointInfo::get_SquenceNumber
13541: CRestorePointInfo::get_TimeStamp
13577: CRestorePointInfo::get_Year
13605: CRestorePointInfo::get_Month
13637: CRestorePointInfo::get_Day
13665: CRestorePointInfo::get_IsAdvanced
13701: CRestorePointInfo::CompareSequence
13737: CRenamedFolders::get_Count
13765: CRenamedFolders::OldName
13793: CRenamedFolders::NewName
13821: CRenamedFolders::Location
13989: d:\xpsp1\admin\pchealth\sr\shell\logfile.cpp
14037: ::MapViewOfFile failed - %ls
14069: ::CreateFileMapping failed - %ls
14105: ::GetFileSize failed - %ls
14133: ::CreateFile failed - %ls
14161: CMappedFileRead::Open
14185: Insufficient data - %d bytes (need=%d bytes)
14233: CMappedFileRead::Read(LPVOID,DWORD)
14269: CMappedFileRead::Read(DWORD*)
14301: Invalid string length - %d (max=%d)
14341: CMappedFileRead::Read(LPWSTR,DWORD)
14377: Invalid restore log file signature...
14417: Unknown trailing data after the EndOfMap marker...
14469: Drv#%d - %08X, %ls, %ls, %ls
14501: RP ID = %d, # of Drives = %d, New RP=%d
14541: Unknown restore log file version - %d (0x%08X)
14589: ValidateLogFile
14605: Deleting RP %d
14621: d:\xpsp1\admin\pchealth\sr\shell\main.cpp
14665: CancelRestorePoint
14685: ! WriteFile : %ld
14793: m_dwCmd=%d, dwRP=%d
14901: Option='%ls'
14917: Cmd='%ls'
14929: ParseCommandParameter
14953: Closing rstrui.exe...
14977: EnableFIFO() failed
15073: ! SRFormatMessage
15093: _tWinMain
15257: Out of range, IFIRSTDAYOFWEEK = %d
15293: nFirstDay=%d
15309: GetLocaleInfo(IFIRSTDAYOFWEEK) failed - %ls
15353: d:\xpsp1\admin\pchealth\sr\shell\rstrmgr.cpp
15401: CRestoreManager::GetFirstDayOfWeek
15441: DisableFIFO(1) failed...
15469: CRestoreManager::DisableFIFO
15501: EnableFIFO() failed...
15525: CRestoreManager::EnableFIFO
15553: ::GetDateFormat failed - %s
15581: CRestoreManager::GetDateStr
15609: ::GetTimeFormat failed - %s
15637: CRestoreManager::GetTimeStr
15665: m_fDenyClose=%d
15681: CRestoreManager::DenyClose
15709: m_fNeedReboot=%d
15729: CRestoreManager::NeedReboot
15757: ::FileTimeToSystemTime failed - %ls
15793: ::FileTimeToLocalFileTime failed - %ls
15833: CSRTime::SetFileTime
15857: ***Less than 80MB free - cannot run restore***
15905: ! GetDiskFreeSpaceEx : %ld
15933: SRSetRestorePoint failed
15985: SR cannot get free disk space!!!
16021: SR is Frozen!!!
16037: SR cannot get system drive!!!
16069: Service is not running...
16097: ::CreateProcess failed - %ls
16173: ::LoadString(%u) failed - %ls
16205: SR is DISABLED!!!
16225: SR is DISABLED by group policy!!!
16261: CRestoreManager::CanRunRestore
16293: Out of range, nIndex=%d - m_nRFI=%d
16329: FATAL, entry is NULL: nIndex=%d, m_nRFI=%d
16373: CRestoreManager::GetRFI
16397: Out of range, nIndex=%d - m_nRPI=%d
16433: FATAL, entry is NULL: nIndex=%d, m_nRPI=%d
16477: CRestoreManager::GetRPI
16565: Prepare Restore failed...
16593: DisableFIFO(%d) failed...
16621: CRestoreManager::CheckRestore
16653: m_pCtx is NULL
16669: CRestoreManager::BeginRestore
16701: # of RP=%d
16713: CRestoreManager::UpdateRestorePointList
16753: Cannot create CRestoreManager instance...
16797: Invalid parameter, ppMgr is NULL...
16833: CreateRestoreManagerInstance
16865: CRestoreManager::SetSelectedPoint
16901: CSnapshot::CleanupAfterRestore failed - %ls
16945: CRestoreManager::SetRPsUsed
16985: BeginRestore failed
17005: CheckRestore failed
17025: m_nRealPoint=%d, m_nRP=%d
17053: CRestoreManager::SilentRestore
17114: d:\xpsp1\admin\pchealth\sr\shell\rstrprog.cpp
17161: CRstrProgress::get_hWnd
17185: CRstrProgress::get_Max
17209: CRstrProgress::get_Min
17233: CRstrProgress::get_Value
17261: Invoke returned %d
17281: CRstrProgress::Fire_OnCreate
17421: ::MultiByteToWideChar returns inconsistent length - %d / %d
17481: ::MultiByteToWideChar failed - %s
17517: d:\xpsp1\admin\pchealth\sr\shell\util.cpp
17561: CSRStr::ConvertA2W
17581: ::FormatMessage failed - %ls
17613: SRFormatMessage
17629: ShowSRErrDlg
17645: ::SHGetValue failed - %ls
17673: SRGetRegDword
17689: CSRStr::SetStr(LPCWSTR,int)
17737: SRRemoveRestorePoint
17761: SRUpdateDSSize
17777: SRSetRestorePointW
17797: DisableSR
17809: EnableFIFO
17821: DisableFIFO
17833: EnableSR
17845: EnableSREx
17857: srclient.dll
17873: RegDBRestore
17889: RegDBBackup
18513: DeleteFile failed ec=%d
18537: DeleteTempRestoreFile
18561: Deleting files failed error %ld
18593: DeleteAllFilesBySuffix
18633: ! DeleteFile : %ld
18653: DeleteReconstructedTempFile
18681: DeleteAllReconstructedFiles
18721: m_pCurrentRp = NULL
18741: CRestorePointEnum::FindNextRestorePoint
18781: ! GetCurrentRestorePoint : %ld
18813: Cannot allocate memory for m_pCurrentRp
18853: Cannot allocate pFindData
18881: CRestorePointEnum::FindFirstRestorePoint
18961: ! CreateFile on %S : %ld
18989: ! ReadFile on %S : %ld
19013: SRMemAlloc failed
19033: CRestorePoint::ReadLog
19105: SRCLIENT.dll
19145: SetFileAttributes ignoring %ld
19249: OpenService failed 0x%x
19273: OpenSCManager failed 0x%x
19301: SetServiceStartup
19321: ! QueryServiceConfig (first) : %ld
19357: ! QueryServiceConfig (second) : %ld
19393: ! SRMemAlloc
19409: SR Service is not running
19437: QueryServiceStatus failed 0x%x
19469: IsSRServiceRunning
19489: ! WriteNtUnicodeString : %ld
19529: ! CreateFileW : %ld
19549: ! GetComputerNameW : %ld
19577: GetDomainMembershipInfo
19617: LogDSFileTrace
19633: pfnMethod failed. ec=%d.file=%S
19669: dwErr != ERROR_NO_MORE_FILES. It is %d
19709: Base dir %S
19721: Ignoring long file %S
19773: FindFirstFile failed ec=%d. Filename is %S
19817: FindFirstFile returned %d
19845: ProcessGivenFiles
19893: RegType is %d, not %d
19917: RegQueryValueEx failed error 0x%x
19953: RegOpenKeyEx open error 0x%x
19985: Trying to open %S %S
20009: ReadRegKey
20021: Restore failed because of disk space
20061: CheckForDiskSpaceError
20085: Last restore was not done in safe mode
20125: Last restore was done in safe mode
20161: WasLastRestoreInSafeMode
20189: Couldn't get alternative name.
20221: SRGetAltFileName
20257: Failed to load framedyn.dll on second attempt. ec=%d
20353: Buffer not big enough. WinSys is %d chars long
20401: Failed to load system directory. ec=%d
20441: Failed to load framedyn.dll on first attempt. ec=%d
20493: LoadFrameDyn
20537: Failed to load srclient.dll. ec=%d
20601: Failed to load framedyn.dll
20629: LoadSrClient
20645: RemoveDirectory failed with %d
20677: DeleteFile or TakeOwn failed with %d
20717: Delnode_Recurse failed with %d, ignoring
20761: Delnode_Recurse failed with %d
20793: Delnode_Recurse
20861: INTERNAL__AsyncBinaryTrace
20889: INTERNAL__AsyncStringTrace
20917: INTERNAL__SetAsyncTraceParams
20949: INTERNAL__DebugAssert
20973: INTERNAL__FlushAsyncTrace
21001: INTERNAL__TermAsyncTrace
21029: INTERNAL__InitAsyncTrace
21081: EnabledTraces
22037: rstrui.pdb
25515: PPPPPPP
25585: PVVVVVV
25612: u4VVVV
26430: t%8^lt 9^x
28077: PPVPPW
28738: u93Wt\
28942: |PVhL,
31486: tLVh<.
34721: WWWhT2
46327: 90u29p
51617: PQQQQQ
52634: tGf98tBP
53419: tGf98tBP
54069: tGf98tBP
57627: tUVhX=

Well done! I am not sure what is causing the problem with WG - you could send a copy of your read out to support@diamondcs.com.au they may give you a better answer regarding your list than I can.

I am glad the shotrcut worked

Have had the same problem with Help & Support. The problem is caused by the system creating a zero byte file with the same name. Do a search for helpctr.exe and delete all zero byte copies, the program then runs as normal.

Yeah, thanks Julian for the reminder. I delete occasionally the 0 bytes files i see for about every function, and i think it helps. For a few i copied the original exe in strategical places so they keep working anyway.

Yeh, Thanks Julian I did state that earlier in the thread but it cannot be stated enough :)

When I found helpctr.exe & then created a shortcut to the desktop, there were no zero files - should I be looking elsewhere? Am not familiar with zero files. :-[

The reason WormGuard is not allowing System Restore to run is because the virus spread & is resident there. Someone on another forum was able to read the contents as posted and pointed to several areas of infection. This proves that WormGuard is doing it's thing well. ;D

Thank you to everyone for being so helpful - it is very much appreciated. I have truly learned a great deal from not only those helping me but also from reading other parts of the forums. Again thanks from a peachy learner :-*

P4U if you mean in the long listing from above, for our info could you mention the line numbers or is this not what you mean? Even though i noticed in my older emails i received that infection various times i didn't run it nor do i have system restore so i can't reproduce it overhere.
Had hiped that fix would disinfect the nasty and eventually delete, with disabling the system restore, reboot, enabling system restore again making a new restore point and deleting or lceaning out all older points i had hoped you would have been completely rid of it so i'm really puzzling in your current system restore you would still have that infection. If possible delete the thing please and you should be really clean if that fix did it's work.
If you know the file names/elements normally one hunts for those on the system and deletes them too.

Anyway, good to know WG does it's work well, never doubted on that :)


About the size 0 bytes files:
If you do a search on your system for files that size, you migth find various. Windows creates them if it can't get to the original file for some reason in the directory from where you ar calling that function.
Now yoyu are on XP, so for you files size 0kb may or may not really be 0 bytes. So find them. In your TDs in the scanoptions you see you can configure TDS to scan those too and see if they are reall empty or contain streams. These are not necessarily malicious: several programs like virus scanners put code there for later control if there were modifications for instance, checksums, whatever.
So if TDS with that scanning tells you they are really clean, delete them. If TDS says they are suspicious, ask advice.
If they are just normal innocent things from the scanners, leave them in peace as they will be recreated again i suppose.
But deleting them were really empty might make your system work nicer.

Jooske - I did disable System Restore, reboot, enable, reboot, and no deal. Simply by disabling SR in XP will delete all the previous restore points automatically, leaving only the last restore point. In my opinion the last restore point would be after the virus infection and I do not think I would be wise to use it. Not being familiar with what I can and cannot do in SR, my question was as to whether I could delete everything completely in system restore and then set a new restore point as at the date of deletion. It seems all the advice I get is delete to the last restore point which in my opinion will not get rid of the virus. That is why I am still messing around with it. My guru who set up my computer for me last year may have an answer as he uses XP and should know how SR can be dealt with in this situation. Shall give him a call tomorrow. Anyway, the virus is nowhere else in my computer as I deleted any reference found including deletion from Quarantine. My computer is clean except for this one area which is in doubt. I followed the FixSobig tool instructions after the first fix twice and each time it said the SoBig virus could not be found. If that is the case, and WormGuard thinks it is still in SR - could it be that WormGuard is reading a killed virus? :-\

I found four 0 files in Documents & Settings including helpctr.exe - they have been deleted after I scanned them. They were clean. :)

We just want you to get rid of ALL the former system restore points and make a clean one from the new clean situation manually.
This should solve the problem, as what is deleted completely should no longer be there.

Read here please:
http://service4.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a003348525680f006426be/365d4251002f832085256b4300675d39?OpenDocument

If the 0 bytes files are found clean from streams or other stuff delete them!
Look if there is anything in TDS, WG, famous places to collect them for some reasons, and deleting them occasionally will keep your Help running too we might hope.

Peaches4u, You can turn off SR completely. You can then set the restore size allowance % to nothing. Delete all restore points Restart your PC and you will have created a restore point of 0 bytes Check that there are no earlier points left & reboot Therefore effectively "killing" any unwanted data in the restore. After this you could then increase the restore point allowance to it's original %.

HTH Pilli

Maybe after disable restore > reboot > SCAN > reboot and don't use that sobig fix anymore if the scan was clean and don't let that fix touch your restore or whatever, you should be clean very brand clean cleaner can only be with a reformat but ok, you were supposed very clean.
As with Pilli's instruction you should now have an empty restore point, this is clean as well,
so if you think you really want and need to have a restore enabled, this might be the moment for a careful try to make one manually and see what WG does with it, i guess after another reboot.
What were the WG messages btw?

Hi - am behind schedule - have unexpected visitors and now
houseguests until Monday and need quiet to do all this. ::)Have suggestions all printed out and ready to roll as soon as visitors leave. Till then, this is the message from WormGuard:
This file has been temporarily blocked from executing.
Risk Assessment: Medium
Script Analysis: Security risks detected.
WormG Script analysis:
. contains suspicious string: startup
. executes a file[s]
. Accesses the file system.
File Script: MZO

Hi P4U, i am very sure there was more in the source of the file, for that is that button "view in safe mode" at the right under the display to see it all.
But it might have been in another code.
What kind of file was it, how did you get it and what was the name, and where is it located?

Is this the System Restore thing ? just click ALWAYS ALLOW :)

Hi folks. Decided to forfeit some sleep and get it over with once & for all. There is absolutely no reason at this stage for WG to stop the file from running and I have pretty much decided as suggested by Gavin to allow the file to always run. I have checked my system most thoroughly.
> No errors in registry
> No errors after doing a Program Integrity scan
> No errors re Free Space check.
> Virus definitions are up to date.
> No errors re Disk check
> No erros re Scan Disk.
> Virus Scans clean.
> I created a fresh restore point this evening & removed all others.
> It was recommended that I reduce my restore space to 3% rather than 12% where it was set- 3% it is now!!
> WG still says "No" and I say yes, I shall run the file as I am confident my computer is clean.
> Computer running smooth as silk. :)

Last but not the least, I am going ADSL and off cable sooner than later.

On that note, thank you everyone for your input and assistance - you have all been very helpful. You are the greatest! :-*

Oh & Jooske, I have my email so tightly configured, thanks to your list of extensions, and suggestions that "touch wood", I shall never have to deal with a virus again. It is only my 3rd time in 3 yrs. - hopefully now it will be reduced to nil. ;D My next newsletter will have a nice write up about Wilderssecurity, WG & TDS in my "Computer Junkies" section.

Peaches4U, I'm am sincerely gald that all appears well again. My first experiance of infection was the QAZ Trojan, fortunatly an alert tech at my ISP had been tracking it through their network & informed me immediately that I was infected - I had just changed from Dial up to cable and the Trojan had got in during the change over process .
This lead me to investigate all the security aspects of an "always on" connection. Again, fortunately I came across DCS very early in that learning process, since then some two & half years later I have not had another Trojan, virus or worm.

Great products & superb support!

Be lucky - Pilli

Sounds all very good P4U, keep it going!
Oh, and for your newsletter, don't forget the Port Explorer and AutostartViewer, very good tools in detection and stopping life trojans in their actions. Much more in the build so tell them to check back often in this and DCS forums at www.diamondcs.com.au/forum/index.php
And remember, membership for both forums is free :)


BTW once there, think of this thread:
http://diamondcs.com.au/forum/showthread.php?s=&threadid=262&perpage=15&pagenumber=1

Although dealing with the virus has been somewhat frustrating - I now know my computer much better and can also sense almost instantly if there is something amiss. In all, it has been a great learning experience looking at it from a positive point of view. I checked WormGuard to run the file - nothing being there as an active virus anymore, no alarms. A virus scan was immediately done and came up clean. What a relief. :P

My next Club newsletter comes out in June and I will probably devote a full page to internet safety with reference to your forums, etc. The club as a whole is reaching an 80,000 membership but our Canadian Chapter, although not as great in number, does reach readers right across North America. The bulk of my newsletters are sent via attachment which is why it is so extremely important for me to have a computer that is 100% clean - my mail is always trusted. I may even write an article for the National magazine as I have had other articles on varying subjects published. With all the great help I received here, I was able to achieve my goal in good security. Again, many thanks with sweet peaches to all. ;D

Peaches4u, Glad your feeling secure at last!
Sometimes it takes a while to sort these problems out but we do usually succeed in the end. ;D