WormGuard & W32.Sobig.A@MM

Peaches for you, You could also use a shortcut from the desktop:

Go to C:\Windows\PCHEALTH\HELPCTR\binaries\ In that folder you will find helpctr.exe ( should be about 744K in size) - Right click it and select "Create a shortcut" once the shortcut is created cut and paste it to your desktop or wherever is most convienient for you.

This is just another method which requires no registry hacking but, of course, your normal "Start - Help & Support" icon still will not work.

HTH Pilli

 

Here goes nothing ...
1. I have 15 files in helpctr = 24.4 MB [seems large]
2. When I double click on helpctr.exe the Help & Support page comes up and promptly freezes on me. The Restore has a little red "do-dad" and if I click on it Wormguard comes up with the usual message that file is being prevented from running.
3. I did a Ctrl, Alt, Delete and the Task Manger came up .. it registered that Help & support was running [strange if it was in a frozen state & still is]; Wormguard is running as well as SpywareGuard which is running.
4. In binaries I have 13 files 135 kb.
5. Nothing unusual about any of the files as far as I can determine.
6. Shall now hunt for 0 KB files especially helpctr.exe

A light bulb just lit up. Decided to check my firewall just now to see how help & support was configured.... ah, ha - it had ?? [interesting] so I checked it to access the internet and now I will go back and try to see if things will work this time. Will report back. Keep your fingers crossed that this is a solution.

And yes, I did read the other forum you suggested and will go back re the 0 kb files & study it some more.

 

Well it is not the firewall causing the problem. That settled that!! While exploring Local Disk C, I found a Quarantine file so I peeked to see if anything was in it. You bet & this is what I found: rstrui.exe.analysis.txt and rstrui.exe.txt - So, I clicked on the Analysis. txt and up comes WormGuard advising me of the same warning I get when I try to activate system restore.

Have gone back to the site recommended and have done some reading - now I shall do a bit more probing and see if I can come up with something positive.

I probed Win32 files to see what is there and helpctr.exe is in there so it would stand to reason the message we have been getting should not happen.

What could possibly happen if I allowed WormGuard to allow the Restore to run? When I disabled Restore and did the symantec FixSobig scan, it came up clean so maybe the tool fixed the infected files within. I don't know, just wondering if I should try this.

 

What exactly is the WG message?
You mean you can't make a new restore point either and start wityh that, deleting all the older restore points if you succeed in creating a clean one?
I don't run XP so glad others are able to help with those specific folders.
If you have a TXT fiel with those two or three extensions i guess WG will tell you with an alert for dual extensions; you have the option to view in safe mode what's in it, and as it's a txt file i suppose it being readable that way. So no need to run it, just look.

I don't know if the fixcode itself is alerted on or the code itself is inthere and made unexecutable (which i suppose) and thus WG will keep alarming till you finally get rid of that restorepoint at all. Delete away, off your system. Infections are not holy to be kept unless your a security developer and need them in your test database. All others should just remove them in every way your software allows you to.

 

Peaches4u, I have a feeling that there may be a more basic problem in the system files so if you have not already done so would youyou please try this:

Defrag your Windows drive. This will ensure that your hard disk has no damaged or dfragmented file. If defrag willl not rum you will need to Start - Run Type "chkdsk /f" without the quotes then press return XP should then say that this operation will be performed upon reboot.
ChkdskCreates and displays a status report for a disk based on the file system. Chkdsk also lists and corrects errors on the disk. Used without parameters, chkdsk displays the status of the disk in the current drive.

Both command syntaxs below are from the XP help file.

Syntax
chkdsk [volume:][[Path] FileName] [/f] [/v] [/r] [/x] [/i] [/c] [/l[:size]]

Parameters
volume:
Specifies the drive letter (followed by a colon), mount point, or volume name.
[Path] FileName
Specifies the location and name of a file or set of files that you want chkdsk to check for fragmentation. You can use wildcard characters (that is, * and ?) to specify multiple files.
/f
Fixes errors on the disk. The disk must be locked. If chkdsk cannot lock the drive, a message appears that asks you if you want to check the drive the next time you restart the computer.
/v
Displays the name of each file in every directory as the disk is checked.
/r
Locates bad sectors and recovers readable information. The disk must be locked.
/x
Use with NTFS only. Forces the volume to dismount first, if necessary. All open handles to the drive are invalidated. /x also includes the functionality of /f.
/i
Use with NTFS only. Performs a less vigorous check of index entries, reducing the amount of time needed to run chkdsk.
/c
Use with NTFS only. Skips the checking of cycles within the folder structure, reducing the amount of time needed to run chkdsk.
/l[:size]
Use with NTFS only. Changes the log file size to the size you type. If you omit the size parameter, /l displays the current size.

For the next part you will need to have your original XP installation CD.
You must be logged in as a member of the Aministrators group:
Open the Start - Run and type in "SFC /scannow" without the quotes. This will This is from the XP help file:

System File Checker (sfc)Scans and verifies the versions of all protected system files after you restart your computer.

Syntax
sfc [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]

Parameters
/scannow
Scans all protected system files immediately.
/scanonce
Scans all protected system files once.
/scanboot
Scans all protected system files every time the computer is restarted.
/revert
Returns the scan to its default operation.
/purgecache
Purges the Windows File Protection file cache and scans all protected system files immediately.
/cachesize=x
Sets the size, in MB, of the Windows File Protection file cache.
/?
Displays help at the command prompt.
Remarks
You must be logged on as a member of the Administrators group to run sfc.
If sfc discovers that a protected file has been overwritten, it retrieves the correct version of the file from the %systemroot%\system32\dllcache folder, and then replaces the incorrect file.
If the %systemroot%\system32\dllcache folder becomes corrupt or unusable, use sfc /scannow, sfc /scanonce, or sfc /scanboot to repair the contents of the Dllcache directory.
Formatting legend

Phew! If all of the above completes OK then at least we will have a level playing field to work on.

Pilli

 

Hi Philli - Well, I did defrag just a few days ago and computer is running at 100% optimal. I also did the scan disks, and no errors found. So, another bulb lit up. I am going to forget trying to get Help & Support to work for now. What if I did this: Start/All Programs/ Accessories/System Tools/Disk Cleanup. Click the More Options tab, and then click the Clean up botton in the System Restore section? Would this not clean out the worm corrupted files and a new restore date would set itself as of date of purging? Presumably if the Restore file is empty, WormGuard will no longer have to protect it from running - nothing there to protect. The fact that I had to turn off SR when I was scanning/ cleaning with FixSobig tool, turning it off wiped out all other existing restore points. This would explain why I could not go back to a date prior to the infection. By doing this SR would take a new clean snapshot as of the day the cleaning was done. This would create a clean restore point. WormGuard would go away. Then my Restore feature should be functional again or will it. Do I make sense?

I am going to print out your suggestion and read it over carefully as I am not sure I fully understand it and then give your suggestion a try. But first I am crawling back between the sheets for a few more hours of shut eye ... this thing is giving me insomnia....

I truly appreciate all the help and advice I have been getting so a big thanks to all who have responded.

 

Hi, I believe disk clean up with the option you stated will delete all the restore points except for the latest one. So it may be worth a try. If your happy using regedit you could also do a search for the any left over sobig registry keys & delete them if it made any? This is in case the other removal tools did not work properly on your system. If you do try regedit be sure to back up the registry first, others may suggest tools that can do this for you.

 

Philli - I did the System Restore clean up but there are still many files there. If I highlite them and right click my mouse and delete them [I viewed them through WormGuard and they are totally useless] Is this a safe thing to do? Perhaps then I can set a new restore date as of the date of deletion.

I am not comfortable editing a registry as I am not computer literate enough. I did browse through C Drive and found where the pif file was hidden [I now also know the contact who was used as a host]. The whole email was there. I deleted the file.I

Regarding the Help & Support [helpctr.exe] I have posted an S.O.S. on a different discussion board and hope someone there can come up with some knowledge as to why it comes up as not a valid Win32 application when in fact it is. Maybe someone there has figured out a fix. I did read the discussion on this subject as you suggested and there was one solution there but I do not understand parts of it.

 

Using XP's clean up should be OK, there will be IE cached files, temp files, history files etc. that can all be safely deleted.

Understandable, If you are not confident editing the registry it ould be better to leave well alone, or find a tool such as Ontracs system suite or Nortons System works that does a lot of the work for you and creates an easily retrievable back-up if you mess up.

Have you searched your hard disk for helpctr.exe? If you do you can safely delete all 0 byte size versions - AS I have heard that these can cause a problem.

We will not be defeated!!!

 

Hey Philli - I did it, I did it!! Gimme 5!!! I have Help & Support working. This is what I did: C:\Windows\PCHealth\helpctr\binaries and up she comes, all the help pages come up. I then created a shortcut to my desktop - tested it and it works. It may not be a perfect solution but if it does the job, so be it.

Am still cautiously approaching my System Restore fix and searching for any other traces of the Sobig virus. I tell ya, when I get all this cleaned up, I won't get caught with my knickers down again. but I shall be much wiser for it.
This is what is in my SR and want to delete the whole mess: What is in there that WormGuard is preventing from running?

FILE: c:\windows\system32\restore\rstrui.exe
SIZE: 370688 bytes
---------------------FILE BEGINS <Extracted Strings>---------------------
78: !This program cannot be run in DOS mode.
528: `.data
705: SHLWAPI.dll
717: ADVAPI32.dll
730: KERNEL32.dll
743: NTDLL.DLL
753: GDI32.dll
763: USER32.dll
774: SRRSTR.dll
785: ole32.dll
795: OLEAUT32.dll
808: msvcrt.dll
819: WINSTA.dll
6297: RestoreSnapshot
6313: CreateSnapshot
6329: :isableFIFO failed - %ls
6357: d:\xpsp1\admin\pchealth\sr\shell\extwrap.cpp
6405: CSRExternalWrapper:isableFIFO
6437: ::EnableFIFO failed - %ls
6465: CSRExternalWrapper::EnableFIFO
6497: ::SRSetRestorePoint failed, status=%d
6537: CSRExternalWrapper::SetRestorePoint
6573: ::SRRemoveRestorePoint failed - %ls
6609: CSRExternalWrapper::RemoveRestorePoint
6649: Cannot create RPI Instance...
6681: Ignoring cancelled restore point
6717: CSRExternalWrapper::BuildRestorePointList
6761: Insufficient memory, cannot allocate RPI
6805: CSRExternalWrapperStub::BuildRestorePointList
6962: Insufficient memory...
6985: CreateSRExternalWrapper
8250: UnRegisterTypeLib
8297: Cannot initialize COM, hr=%l
8329: d:\xpsp1\admin\pchealth\sr\shell\frmmars.cpp
8377: CSRFrameMars::InitInstance
8554: Creating SRUI Instance failed - %s
8589: CreateSRFrameInstance
8613: CHCPMarsHost_Object::CreateInstance failed, hr=%u
8689: ::GetProcAddress failed - %s
8721: ::LoadLibrary('marscore.dll') failed - %s
8765: CSRFrameMars::InvokeMARS
8989: CComModule::RegisterServer failed, err=%l
9033: CComModule::UpdateRegistryFromResource failed, err=%l
9089: CSRFrameMars::RegisterServer
9121: CComModule::UnregisterServer failed, err=%l
9165: CSRFrameMars::UnregisterServer
11226: ::SystemTimeToVariantTime failed - %ls
11265: d:\xpsp1\admin\pchealth\sr\shell\htmlui.cpp
11309: ConvSysTimeToVariant
11333: ::VariantTimeToSystemTime failed - %ls
11373: ConvVariantToSysTime
11397: Invalid Argument, NULL input parameter
11437: CRestoreShell::get_Count
11465: CRestoreShell::get_CurrentDate
11497: CRestoreShell::get_LocaleFirstDay
11533: CRestoreShell::get_IsSafeMode
11565: CRestoreShell::get_IsUndo
11593: CRestoreShell::get_LastRestore
11625: CRestoreShell::get_MainOption
11657: Out of memory, cannot allocate string
11697: CRestoreShell::get_ManualRPName
11729: CRestoreShell::get_MaxDate
11757: CRestoreShell::get_MinDate
11785: CRestoreShell::get_RealPoint
11817: CRestoreShell::get_RestorePtSelected
11857: CRestoreShell::get_SelectedDate
11889: CRestoreShell::get_SelectedName
11921: CRestoreShell::get_SelectedPoint
11957: Index is out of range
11981: CRestoreShell:ut_SelectedPoint
12017: CRestoreShell::get_SmgrUnavailable
12053: CRestoreShell::get_StartMode
12085: CRestoreShell::get_UsedDate
12113: CRestoreShell::get_CanNavigatePage
12149: CRestoreShell::BeginRestore
12177: CRestoreShell::Cancel
12201: Invalid Argument, V_VT(var)=%d is not expected type %d
12257: CRestoreShell::CompareDate
12285: CRestoreShell::CreateRestorePoint
12321: CRestoreShell::FormatDate
12349: CRestoreShell::FormatLowDiskMsg
12381: CRestoreShell::FormatTime
12409: CRestoreShell::GetLocaleDateFormat
12445: CRestoreShell::GetYearMonthStr
12477: hwndFrame is NULL
12497: CRestoreShell::SetFormSize
12525: CRestoreShell::CanRunRestore
12557: RA session present - not counting
12593: GetLoggedOnUserCount
12633: Loading IDS_ERR_OTHER_USERS_LOGGED_ON2 failed %d
12685: Loading IDS_ERR_OTHER_USERS_LOGGED_ON1 failed %d
12737: Loading IDS_RESTOREUI_TITLE failed %d
12777: CRestoreShell:isplayOtherUsersWarning
12817: CRestoreShell::WasLastRestoreFromSafeMode
13081: Invalid Argument, out of range
13113: Cannot create RestorePointObject Instance, hr=%d
13165: QI failed, hr=%d
13185: CRestoreShell::Item
13205: Cannot QI IRenamedFolders, hr=0x%08X
13245: Cannot create CRenamedFolders object, hr=0x%08X
13293: CRestoreShell::get_RenamedFolders
13358: RP: '%ls'
13369: d:\xpsp1\admin\pchealth\sr\shell\htmlui2.cpp
13417: CRestorePointInfo::HrInit
13445: CRestorePointInfo::get_Name
13473: CRestorePointInfo::get_Type
13501: CRestorePointInfo::get_SquenceNumber
13541: CRestorePointInfo::get_TimeStamp
13577: CRestorePointInfo::get_Year
13605: CRestorePointInfo::get_Month
13637: CRestorePointInfo::get_Day
13665: CRestorePointInfo::get_IsAdvanced
13701: CRestorePointInfo::CompareSequence
13737: CRenamedFolders::get_Count
13765: CRenamedFolders::OldName
13793: CRenamedFolders::NewName
13821: CRenamedFolders::Location
13989: d:\xpsp1\admin\pchealth\sr\shell\logfile.cpp
14037: ::MapViewOfFile failed - %ls
14069: ::CreateFileMapping failed - %ls
14105: ::GetFileSize failed - %ls
14133: ::CreateFile failed - %ls
14161: CMappedFileRead::Open
14185: Insufficient data - %d bytes (need=%d bytes)
14233: CMappedFileRead::Read(LPVOID,DWORD)
14269: CMappedFileRead::Read(DWORD*)
14301: Invalid string length - %d (max=%d)
14341: CMappedFileRead::Read(LPWSTR,DWORD)
14377: Invalid restore log file signature...
14417: Unknown trailing data after the EndOfMap marker...
14469: Drv#%d - %08X, %ls, %ls, %ls
14501: RP ID = %d, # of Drives = %d, New RP=%d
14541: Unknown restore log file version - %d (0x%08X)
14589: ValidateLogFile
14605: Deleting RP %d
14621: d:\xpsp1\admin\pchealth\sr\shell\main.cpp
14665: CancelRestorePoint
14685: ! WriteFile : %ld
14793: m_dwCmd=%d, dwRP=%d
14901: Option='%ls'
14917: Cmd='%ls'
14929: ParseCommandParameter
14953: Closing rstrui.exe...
14977: EnableFIFO() failed
15073: ! SRFormatMessage
15093: _tWinMain
15257: Out of range, IFIRSTDAYOFWEEK = %d
15293: nFirstDay=%d
15309: GetLocaleInfo(IFIRSTDAYOFWEEK) failed - %ls
15353: d:\xpsp1\admin\pchealth\sr\shell\rstrmgr.cpp
15401: CRestoreManager::GetFirstDayOfWeek
15441: DisableFIFO(1) failed...
15469: CRestoreManager:isableFIFO
15501: EnableFIFO() failed...
15525: CRestoreManager::EnableFIFO
15553: ::GetDateFormat failed - %s
15581: CRestoreManager::GetDateStr
15609: ::GetTimeFormat failed - %s
15637: CRestoreManager::GetTimeStr
15665: m_fDenyClose=%d
15681: CRestoreManager:enyClose
15709: m_fNeedReboot=%d
15729: CRestoreManager::NeedReboot
15757: ::FileTimeToSystemTime failed - %ls
15793: ::FileTimeToLocalFileTime failed - %ls
15833: CSRTime::SetFileTime
15857: ***Less than 80MB free - cannot run restore***
15905: ! GetDiskFreeSpaceEx : %ld
15933: SRSetRestorePoint failed
15985: SR cannot get free disk space!!!
16021: SR is Frozen!!!
16037: SR cannot get system drive!!!
16069: Service is not running...
16097: ::CreateProcess failed - %ls
16173: ::LoadString(%u) failed - %ls
16205: SR is DISABLED!!!
16225: SR is DISABLED by group policy!!!
16261: CRestoreManager::CanRunRestore
16293: Out of range, nIndex=%d - m_nRFI=%d
16329: FATAL, entry is NULL: nIndex=%d, m_nRFI=%d
16373: CRestoreManager::GetRFI
16397: Out of range, nIndex=%d - m_nRPI=%d
16433: FATAL, entry is NULL: nIndex=%d, m_nRPI=%d
16477: CRestoreManager::GetRPI
16565: Prepare Restore failed...
16593: DisableFIFO(%d) failed...
16621: CRestoreManager::CheckRestore
16653: m_pCtx is NULL
16669: CRestoreManager::BeginRestore
16701: # of RP=%d
16713: CRestoreManager::UpdateRestorePointList
16753: Cannot create CRestoreManager instance...
16797: Invalid parameter, ppMgr is NULL...
16833: CreateRestoreManagerInstance
16865: CRestoreManager::SetSelectedPoint
16901: CSnapshot::CleanupAfterRestore failed - %ls
16945: CRestoreManager::SetRPsUsed
16985: BeginRestore failed
17005: CheckRestore failed
17025: m_nRealPoint=%d, m_nRP=%d
17053: CRestoreManager::SilentRestore
17114: d:\xpsp1\admin\pchealth\sr\shell\rstrprog.cpp
17161: CRstrProgress::get_hWnd
17185: CRstrProgress::get_Max
17209: CRstrProgress::get_Min
17233: CRstrProgress::get_Value
17261: Invoke returned %d
17281: CRstrProgress::Fire_OnCreate
17421: ::MultiByteToWideChar returns inconsistent length - %d / %d
17481: ::MultiByteToWideChar failed - %s
17517: d:\xpsp1\admin\pchealth\sr\shell\util.cpp
17561: CSRStr::ConvertA2W
17581: ::FormatMessage failed - %ls
17613: SRFormatMessage
17629: ShowSRErrDlg
17645: ::SHGetValue failed - %ls
17673: SRGetRegDword
17689: CSRStr::SetStr(LPCWSTR,int)
17737: SRRemoveRestorePoint
17761: SRUpdateDSSize
17777: SRSetRestorePointW
17797: DisableSR
17809: EnableFIFO
17821: DisableFIFO
17833: EnableSR
17845: EnableSREx
17857: srclient.dll
17873: RegDBRestore
17889: RegDBBackup
18513: DeleteFile failed ec=%d
18537: DeleteTempRestoreFile
18561: Deleting files failed error %ld
18593: DeleteAllFilesBySuffix
18633: ! DeleteFile : %ld
18653: DeleteReconstructedTempFile
18681: DeleteAllReconstructedFiles
18721: m_pCurrentRp = NULL
18741: CRestorePointEnum::FindNextRestorePoint
18781: ! GetCurrentRestorePoint : %ld
18813: Cannot allocate memory for m_pCurrentRp
18853: Cannot allocate pFindData
18881: CRestorePointEnum::FindFirstRestorePoint
18961: ! CreateFile on %S : %ld
18989: ! ReadFile on %S : %ld
19013: SRMemAlloc failed
19033: CRestorePoint::ReadLog
19105: SRCLIENT.dll
19145: SetFileAttributes ignoring %ld
19249: OpenService failed 0x%x
19273: OpenSCManager failed 0x%x
19301: SetServiceStartup
19321: ! QueryServiceConfig (first) : %ld
19357: ! QueryServiceConfig (second) : %ld
19393: ! SRMemAlloc
19409: SR Service is not running
19437: QueryServiceStatus failed 0x%x
19469: IsSRServiceRunning
19489: ! WriteNtUnicodeString : %ld
19529: ! CreateFileW : %ld
19549: ! GetComputerNameW : %ld
19577: GetDomainMembershipInfo
19617: LogDSFileTrace
19633: pfnMethod failed. ec=%d.file=%S
19669: dwErr != ERROR_NO_MORE_FILES. It is %d
19709: Base dir %S
19721: Ignoring long file %S
19773: FindFirstFile failed ec=%d. Filename is %S
19817: FindFirstFile returned %d
19845: ProcessGivenFiles
19893: RegType is %d, not %d
19917: RegQueryValueEx failed error 0x%x
19953: RegOpenKeyEx open error 0x%x
19985: Trying to open %S %S
20009: ReadRegKey
20021: Restore failed because of disk space
20061: CheckForDiskSpaceError
20085: Last restore was not done in safe mode
20125: Last restore was done in safe mode
20161: WasLastRestoreInSafeMode
20189: Couldn't get alternative name.
20221: SRGetAltFileName
20257: Failed to load framedyn.dll on second attempt. ec=%d
20353: Buffer not big enough. WinSys is %d chars long
20401: Failed to load system directory. ec=%d
20441: Failed to load framedyn.dll on first attempt. ec=%d
20493: LoadFrameDyn
20537: Failed to load srclient.dll. ec=%d
20601: Failed to load framedyn.dll
20629: LoadSrClient
20645: RemoveDirectory failed with %d
20677: DeleteFile or TakeOwn failed with %d
20717: Delnode_Recurse failed with %d, ignoring
20761: Delnode_Recurse failed with %d
20793: Delnode_Recurse
20861: INTERNAL__AsyncBinaryTrace
20889: INTERNAL__AsyncStringTrace
20917: INTERNAL__SetAsyncTraceParams
20949: INTERNAL__DebugAssert
20973: INTERNAL__FlushAsyncTrace
21001: INTERNAL__TermAsyncTrace
21029: INTERNAL__InitAsyncTrace
21081: EnabledTraces
22037: rstrui.pdb
25515: PPPPPPP
25585: PVVVVVV
25612: u4VVVV
26430: t%8^lt 9^x
28077: PPVPPW
28738: u93Wt\
28942: |PVhL,
31486: tLVh<.
34721: WWWhT2
46327: 90u29p
51617: PQQQQQ
52634: tGf98tBP
53419: tGf98tBP
54069: tGf98tBP
57627: tUVhX=

 

Well done! I am not sure what is causing the problem with WG - you could send a copy of your read out to support@diamondcs.com.au they may give you a better answer regarding your list than I can.

I am glad the shotrcut worked

 

Have had the same problem with Help & Support. The problem is caused by the system creating a zero byte file with the same name. Do a search for helpctr.exe and delete all zero byte copies, the program then runs as normal.

 

Yeah, thanks Julian for the reminder. I delete occasionally the 0 bytes files i see for about every function, and i think it helps. For a few i copied the original exe in strategical places so they keep working anyway.

 

Yeh, Thanks Julian I did state that earlier in the thread but it cannot be stated enough

 

When I found helpctr.exe & then created a shortcut to the desktop, there were no zero files - should I be looking elsewhere? Am not familiar with zero files.

The reason WormGuard is not allowing System Restore to run is because the virus spread & is resident there. Someone on another forum was able to read the contents as posted and pointed to several areas of infection. This proves that WormGuard is doing it's thing well.

Thank you to everyone for being so helpful - it is very much appreciated. I have truly learned a great deal from not only those helping me but also from reading other parts of the forums. Again thanks from a peachy learner

 

P4U if you mean in the long listing from above, for our info could you mention the line numbers or is this not what you mean? Even though i noticed in my older emails i received that infection various times i didn't run it nor do i have system restore so i can't reproduce it overhere.
Had hiped that fix would disinfect the nasty and eventually delete, with disabling the system restore, reboot, enabling system restore again making a new restore point and deleting or lceaning out all older points i had hoped you would have been completely rid of it so i'm really puzzling in your current system restore you would still have that infection. If possible delete the thing please and you should be really clean if that fix did it's work.
If you know the file names/elements normally one hunts for those on the system and deletes them too.

Anyway, good to know WG does it's work well, never doubted on that


About the size 0 bytes files:
If you do a search on your system for files that size, you migth find various. Windows creates them if it can't get to the original file for some reason in the directory from where you ar calling that function.
Now yoyu are on XP, so for you files size 0kb may or may not really be 0 bytes. So find them. In your TDs in the scanoptions you see you can configure TDS to scan those too and see if they are reall empty or contain streams. These are not necessarily malicious: several programs like virus scanners put code there for later control if there were modifications for instance, checksums, whatever.
So if TDS with that scanning tells you they are really clean, delete them. If TDS says they are suspicious, ask advice.
If they are just normal innocent things from the scanners, leave them in peace as they will be recreated again i suppose.
But deleting them were really empty might make your system work nicer.

 

Jooske - I did disable System Restore, reboot, enable, reboot, and no deal. Simply by disabling SR in XP will delete all the previous restore points automatically, leaving only the last restore point. In my opinion the last restore point would be after the virus infection and I do not think I would be wise to use it. Not being familiar with what I can and cannot do in SR, my question was as to whether I could delete everything completely in system restore and then set a new restore point as at the date of deletion. It seems all the advice I get is delete to the last restore point which in my opinion will not get rid of the virus. That is why I am still messing around with it. My guru who set up my computer for me last year may have an answer as he uses XP and should know how SR can be dealt with in this situation. Shall give him a call tomorrow. Anyway, the virus is nowhere else in my computer as I deleted any reference found including deletion from Quarantine. My computer is clean except for this one area which is in doubt. I followed the FixSobig tool instructions after the first fix twice and each time it said the SoBig virus could not be found. If that is the case, and WormGuard thinks it is still in SR - could it be that WormGuard is reading a killed virus?

I found four 0 files in Documents & Settings including helpctr.exe - they have been deleted after I scanned them. They were clean.

 

We just want you to get rid of ALL the former system restore points and make a clean one from the new clean situation manually.
This should solve the problem, as what is deleted completely should no longer be there.

Read here please:
http://service4.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a003348525680f006426be/365d4251002f832085256b4300675d39?OpenDocument

If the 0 bytes files are found clean from streams or other stuff delete them!
Look if there is anything in TDS, WG, famous places to collect them for some reasons, and deleting them occasionally will keep your Help running too we might hope.

 

Peaches4u, You can turn off SR completely. You can then set the restore size allowance % to nothing. Delete all restore points Restart your PC and you will have created a restore point of 0 bytes Check that there are no earlier points left & reboot Therefore effectively "killing" any unwanted data in the restore. After this you could then increase the restore point allowance to it's original %.

HTH Pilli

 

Maybe after disable restore > reboot > SCAN > reboot and don't use that sobig fix anymore if the scan was clean and don't let that fix touch your restore or whatever, you should be clean very brand clean cleaner can only be with a reformat but ok, you were supposed very clean.
As with Pilli's instruction you should now have an empty restore point, this is clean as well,
so if you think you really want and need to have a restore enabled, this might be the moment for a careful try to make one manually and see what WG does with it, i guess after another reboot.
What were the WG messages btw?

 

Hi - am behind schedule - have unexpected visitors and now
houseguests until Monday and need quiet to do all this. Have suggestions all printed out and ready to roll as soon as visitors leave. Till then, this is the message from WormGuard:
This file has been temporarily blocked from executing.
Risk Assessment: Medium
Script Analysis: Security risks detected.
WormG Script analysis:
. contains suspicious string: startup
. executes a file
. Accesses the file system.
File Script: MZO

 

Hi P4U, i am very sure there was more in the source of the file, for that is that button "view in safe mode" at the right under the display to see it all.
But it might have been in another code.
What kind of file was it, how did you get it and what was the name, and where is it located?

 

Is this the System Restore thing ? just click ALWAYS ALLOW

 

Hi folks. Decided to forfeit some sleep and get it over with once & for all. There is absolutely no reason at this stage for WG to stop the file from running and I have pretty much decided as suggested by Gavin to allow the file to always run. I have checked my system most thoroughly.
> No errors in registry
> No errors after doing a Program Integrity scan
> No errors re Free Space check.
> Virus definitions are up to date.
> No errors re Disk check
> No erros re Scan Disk.
> Virus Scans clean.
> I created a fresh restore point this evening & removed all others.
> It was recommended that I reduce my restore space to 3% rather than 12% where it was set- 3% it is now!!
> WG still says "No" and I say yes, I shall run the file as I am confident my computer is clean.
> Computer running smooth as silk.

Last but not the least, I am going ADSL and off cable sooner than later.

On that note, thank you everyone for your input and assistance - you have all been very helpful. You are the greatest!

Oh & Jooske, I have my email so tightly configured, thanks to your list of extensions, and suggestions that "touch wood", I shall never have to deal with a virus again. It is only my 3rd time in 3 yrs. - hopefully now it will be reduced to nil. My next newsletter will have a nice write up about Wilderssecurity, WG & TDS in my "Computer Junkies" section.

 

Peaches4U, I'm am sincerely gald that all appears well again. My first experiance of infection was the QAZ Trojan, fortunatly an alert tech at my ISP had been tracking it through their network & informed me immediately that I was infected - I had just changed from Dial up to cable and the Trojan had got in during the change over process .
This lead me to investigate all the security aspects of an "always on" connection. Again, fortunately I came across DCS very early in that learning process, since then some two & half years later I have not had another Trojan, virus or worm.

Great products & superb support!

Be lucky - Pilli