WormGuard & W32.Sobig.A@MM

Discussion in 'WormGuard' started by Peaches4U, Apr 18, 2003.

Thread Status:
Not open for further replies.
  1. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Have trial version and WG took on a nasty biggie, namely, "Sobig". This worm instantly corrupted my Norton AV and denied access to quarantine the worm. :( But, fortunately I have AVG also and it quarantined the worm. This worm did a freeze on Norton rendering it inoperable. However, Sobig corrupted 2 files in my System Restore. [have WinXP] I downloaded the Removal Tool from Symantec, ran it several times adhering to instructions; unistalled & re-installed Norton. I disabled my System Restore and ran the removal tool twice. All scans came out "clean" by AVG & Housecall & SobigFix. But, WG did it's thingie too but action taken did not show up on my screen when infected. As I was attempting to access SYSTEM RESTORE, WormGuard flashed this at me "Warning: For Security reasons this file has been blocked from executing". Okay, well & good but how do I deal with WG at this stage? Is it safe click on WG to allow files to run since I have run the removal tool after disabling SYSTEM RESTORE. o_O Reason I ask is that this worm has the ability to re-instal itself again. :mad:
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hmmm
    Hi Peaches4u, sad story.
    How did the thing come on your system in the first place and how was it able to run and infect you? If you have WG installed you should have had a warning of blocking a nasty and why.
    If you have NAV with the email scanning and protecton loaded, NAV should have quarantined it before running and infecting, so it should not have been able to disable NAV,
    and if you have ZAPro (zone alarm pro version) it's email safe should have renamed and quarantined the worm too, while clicking the infection from an email should have made popup the ZAPro warning, if still insisting to run it the WG warning wiht possibility to look at the file in the safe mode should have been there, and i'm not sure what NAV would have done, all before the nasty could ever have been running and infecting at all!
    So how could it?
    If you have TDS installed with exec protection that last one would have determined nasty code and disabled the running another time, and i don't know what your AVG does in the meantime.


    I wonder if you have WG why it did not block before infecting you, was there not any warning to stop it?
    If you found the filenames it's trying to execute, not the wormname itself, add this/those in the field on the right for blocked files to start with.
    If WG is warning it is there and if possible don't use that restore version.
    I'm not all familiair with the restore function, so i hope others jump in here, thought it was something like reboot and a new clean restore will be made, hope this is correct, and i don't know exactly if for this reboot the restore must still be disabled or enabled, so with this infection i'm not 100% sure, waiting for people who really can tell this with all certaintly.
    You seem to have WG properly installed and enabled, as it does give you warnings now fortunately.
    If you have no TDS yet, have a trial and update with the latest radius and scan all there is on highest sensitivity another time, even after your reboot and system restore to be all sure.
    With the system restore you could also have gone back to a point you were sure to be before the infection, btw, but ok, you are this far and clean already.
    I suppose the registry keys have been cleaned out by the SobigFix tool as well?
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Peaches4u, Jooske is corect in asking how you got this Worm. As for the System restore function in XP - Most AVs / AT's cannot scan inside the file - WG is detecting Sobig when it is accessed by the systm restore function. I sounds to me as though you or another user may have inadvertantly installed an email attachment, having said that reading below it looks like it can change or new variants can be created & this may also be the problem.

    I am not familiar with this worm but did find the following info'

    [q]Sobig is a mass-mailing worm incorporating its own SMTP engine, according to antivirus companies. It arrives from the e-mail address -big @ boss.com-" and bears a subject line such as "Re: here is that sample", "Re: Movies", "Re: Document" or "Re: Sample". The e-mail contains an attachment called "Document003.pif", "Sample.pif", "Untitled1.pif" or "Movie_0074.pif".

    It affects the Windows 95, 98, Me, NT, 2000 and XP platforms. The worm was originally not considered a serious threat, but has been upgraded due to its rapid spread.

    When the attachment is clicked on, it runs a program that searches for files containing e-mail addresses and uses these to send infected e-mails. It also connects to a Web site and downloads a text file containing another Web address, from which it attempts to download and run another program. MessageLabs speculated that this program was a backdoor trojan horse, which could allow a hacker to take control of the user's PC.

    If there is a local-area network connection, Sobig attempts to copy itself onto shared network folders.[q]
     
  4. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :'( The infection must have occurred when doing my email. Oh yes, both AV programs flashed on my screen - Norton froze and AVG picked up the worm and automatically quarantined it. I may have opened an email from a usual contact - this contact having an infected machine and the worm sent itself to me. I never open anything from unknown sources.
    For starters, I have ZoneAlarm [freebie], Norton 2002 version and AVG [freebie] AV, SpyBot, Ad-aware; SpywareBlaster, SpywareGuard and WormGuard. How it got past all this is beyond me. SpywareGuard gave no warnings on the screen even though it is set to do so. I have my Outlook configured to block all mail & attachments with the following extensions: vbs; shs; pif; scr; txt; wsh; hta; sha; jse; eml; html; htm; wab; so am surprised a "pif" came through. My preview pane is closed and I only open it from my Toolbar when I am confident that it is from my regular contacts. My OE is set to warn me if mail unauthorized mail is sent. Today, mail I was sending halted and in the details area it said "warning"! Sounds to me like the worm still resides. I did an AVG scan - all clean. No warning came from WormGuard.
    One of my contacts must have the worm in their computer which sent itself to me but which one? I am at the stage when I see an attachment clip, I simply delete without opening - or I will sometimes email back asking the contact if they sent same to me. I am now also going to start deleting all forwards which in my opinion, originate from sources often unknown to me.
    WormGuard is still not allowing my system restore to run.
    SobigFix can scan and repair System Restore -
    About System Restore in WinXP, Windows prevents System Restore from being modified by outside programs, including antivirus programs or tools cannot remove threats in the System Restore folder. As a result System Restore has the potential to restore an infected file onto your computer even after you have cleaned the infected files from other locations. In some cases, online scanners may detect a threat in the System Restore folder even though you scanned the computer with an AV program and did not find any infected files. So is WormGuard is not allowing system restore to run, how can the worm restore itself and get out? However, SobigFix from Symantec is supposed to clean out System Restore and repair the files - I ran the tool and everything checked out okay - I did it several times.
    I have checked my registry for any unusual entries named by Symantec - there are none. Going back a step or two, after I had first done the SobigFix & because it was late I signed off the internet and tackled SystemRestore with SobigFix after reading my email. Worst luck would have it I got hit with the worm a second time. The worm must have restored itself or came through as an email. My AVG anti-virus scan nabbed it a 2nd time and quarantined it. So how did it get past WormGuard? There was no warning from WormGuard! Ahrrrr!!!! Norton came on the scene again but froze on screen "access denied" was the message. Oh, there was nothing unusual in the subject lines and most certainly none that I have searched in my deleted mail [all 563 emails - plus the 85 I have yet to read] that was mentioned by Philli.

    It may well be that my Outlook Express is also corrupted. My Outlook Express is not functioning properly....I have problems sending mail and incoming mail seems to gag. Yet, I can't find anything so possibly I may have to uninstal Outlook Express and re-instal it again.... What say you all?
    I have been especially careful to run a "tight ship" and have been advising my contacts to please do so and to visit these forums to learn as I did. Well, you can lead a horse to water but you can't make them drink! If I sound frustrated, you bet I am!!
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Peaches4u,
    May i first concentrate on the Sobig part here?
    I might suppose the file would have been deleted or disinfected somehow, but restore is famous for putting back infections, unless you do a reboot, after which you manually make a new restore point from the now clean situation.
    I suppose you did so, right?
    Is it possible to delete infected older restore points, if not all to gain disc space?
    Not sure how the infected code in there looks like after that fix, as it seems not deleted nor made completely unexecutable as it runs fine again once you allow that restorepoint to be used. WG sees that kind of code, executable or not, so you will get that alarm, till you have a new clean restore point.


    For the email scanning/attachments:
    Your free ZA only scans for VBS.
    The pro version scans also on exe, com, url, bat, chm, cpl, hta, ins, isp, jse, js, mda, mdb, mde, ade, adp, mdz, msc, prf, dhx, nch, pcd, reg, scr, crt, inf, shb, shs, pif, lnk, vbe, vb, vbs, bas, mst, scf, msi, msp, asx, wms, cmd, sct, wsc, wsf, wsh, hlp
    So you might like to add all your email scanner settings can handle.
    Which of your programs does the email scanning?
    If your NAV froze in stead of blocking the file, there is something wrong:
    Did you have WG installed and enabled that moment already?
    If there is a warning, NAV quarantining the file, maybe a warning about what happened and your system brought into safety, so you can work on, but with your updated system and WG installed the file never ever should be able to run without all the proper configured defence tools.

    You might like to do a repair install for IE in which OE is included:
    first of all close all the av/at except WG/TDS.
    controll panel > software > add/remove, hunt for the MS Internet explorer > 1x click add/remove, you should get a popup with among others an option for a rep, which you do (is just a second) best reboot after that.
    If you can't you get a warning and you'll have to do a new install on the update site, for IE, which will just copy the missing files and in a few moments you're complete again. Might have to reboot and look at the OE settings if it's working properly now.
    Maybe it doesn't like two or more scanners blocking it, could be NAV and AVG were fighting over the file detection ending up infecting you anyway.
    I never run two av/at programs at a time.
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Peaches4u, Jooske gives good advice, there are still a couple of things that bother me though.
    1. Sobig can call for or have a Trojan attached so when you start up your PC this Trojan could be phoning home & re-installing Sobig, the Trojan may also be able to screw up Norton but AVG is catching the Sobig re-install. This may depend on your Internet connection, if you are a cable/ADSL user on 24/7 then this "possible" Trojan is starting it's actions when your PC is connected. You sound as if you are very careful with your PC security so I must assume that you have your firewall set up correctly etc.
    2. In XP you can delete all the restore points from the Help & Support Centre, so maybe deleting all the current restore points & then after cleaning out sobig again create a new restore point called "Clean" whilst disconnected from the internet. Restart your pc & restore using the restore point "clean" that you created.

    Not sure if this will help but maybe, just maybe, it will - Pilli
     
  7. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :'( Wow, from what you just said, I think I shall get the paid version of ZoneAlarm - well worth it. Thanks Jooske I shall follow your instructions re IE. & other recommendations. Now regarding system restore, and Sobig, I did not do a reboot as it was not mentioned in the Symantec instructions. :oops: I did not set a new restore point [wow so much to learn about the restore feature as I had never had cause to deal with it. :(] Shall have to figure out how it is done.

    Regarding Outlook Express, I think I have found the culprit and it has nothing to do with the worm. :D Did an Ad-Aware scan rather than SpyBot, thinking perhaps some spyware got through and I find a Data Miner [quarantined it] which is a RedSherrif Tracking cookie. I learned it resides in java applets ..... this led me on the hunt and to this site: http://www.wilderssecurity.com/archive/index.php?board=34;action=display;thr - I believe it might be just as simple to put this nasty into my restricted sites but I first have to study and comprehend info from this site: http://www.spywareinfoforum.com/yabbse/index.ph...y;threadid=2239....... oooooh, not tonight as I wiped. Maybe you can leave me some suggestions to save on a lot of searching.

    Anyway, suddenly my email is working as it should be after the quarantine. Thanks Jooske for your help, you are the best. ;)
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad it all worked out fine.
    Guys thanks for the system restore info, as i'm not using it myself, i'm glad you correct these important gaps!
    Saves people of deleting and deleting again :)
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Peaches - A few points occur to me that haven't been mentioned so far.

    (a) You said: "I never open anything from unknown sources." It doesn't really matter whether you know the source or not - known sources are just as likely to be infected as unknown sources (and I'm a little confused by the fact that the description of the worm says that the sender name is always "big@boss.com" - unless of course, you know someone by that name! :) ). Not to mention the fact that many of today's virii, trojans and worms will come to you looking like they were sent from someone you know, even though that's not actually the case (their email addresses get picked up from various people's address books - whether or not those individuals are actually infected or not, the malware will still appear to be coming from them).

    (b)SpywareGuard isn't going to warn you about something like what you experienced - it's not an AV or an AT program, it's strictly for "spyware" not malware (ditto for AA, SBS&D and SpywareBlaster).

    (c) I never recommend use of the "Preview Pane" at any point during OE usage - I simply don't trust it due to its' penchant for letting things run automatically that shouldn't be allowed to run. If you want to "preview" your email, use MailWasher (I also use Benign, by the same company that makes MW - both can be found at http://www.firetrust.com).

    Also, as far as your OE settings go, when you go to Tools/Options in OE, do you have (on the "Security" tab, under the "Virus protection" heading) "Restricted sites zone (More secure)" checked? If not, you should. (And you should have all your "Restricted Zone" options set to "Disable"/"High' ). You might want to think about putting a dot in the radio button in front of "Do not allow attachments to be saved or opened that could potentially be a virus" - I don't do that (it's a PITA), but it would have nipped your problem in the bud.

    (d) What version of OE are you running? When I click on Help/About Outlook Express in OE, mine says "6.00.2800.1106 (xpsp1.020828-1920)" - what does yours say?

    (e) You said: " I have searched in my deleted mail [all 563 emails - plus the 85 I have yet to read] that was mentioned by Philli." Was that a mis-statement? Or do you really still have all your "deleted" emails in the "Deleted Items" folder? If so, why? You need to empty it if that's the case, because loading up any of your folders in OE will eventually cause irreversible corruption of OE.

    (f) You said: "I have AVG also and it quarantined the worm." Okay, does the free version of AVG let you delete the quarantined worm from there, too? Seems like you'd need to get rid of it from there, also, to get it completely off your system, "quarantined" or not.

    (g) If your Norton 2002 was fully up-dated (both engine and definition-wise) at the time of the infection, I really don't understand that, either (does anyone know if installing N2002 to a non-standard location, or changing the name of its' exe, would have helped keep it from being knocked out?). It also raises the question in my mind of whether the fact that you have two AV's running resident at the same time might have come into play and defeated Norton's ability to deal with it properly.

    Disabling System Restore: http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

    It's one of those "given" things that it's standard procedure to re-start the computer after making changes, be it deleting something, installing something, un-installing something, etc.

    It's another one of those given things, when you're dealing with an infection of any sort, that you get all your "dis-infection" info together, print it out, get offline (whether you have to un-plug the phone line or the cable modem line or whatever ), then do the "fixing", then re-start the computer (while still offline).

    Okay, my brain's fried and I'll hush. Hope something in here helped. Pete
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Nice one Spy1 - You could edit it slightly and make it into the start of a tutorial :D One karma cookie from me - Enjoy!
     
  12. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    Reply: Pete - I checked all my deleted mail and no where was there an email from "big@boss.com" nor any email that contained any of the words used by Sobig in the subject line. Strange!!


    Reply: Well, I think that is how the infection happened. I traced it down to 3 possible contacts for that day. One I am sure was okay and the other two are questionable as I know they have no spyware protection, etc. Both had "sick" computers, as they put it, prior to this infection.


    Reply: True, however, SG did react in the background and I am grateful for it.


    Reply: I do have my preview pane closed and only open it from my toolbar occasionally. Yeah, I do get lazy from time to time... :oops: I have also written about this in my Club newsletters as I do a wee column on tips & stuff of interest.


    Reply: The answer is "Yes" but will re-check it again.


    Reply: Checked and it is set on High.


    Reply: It is set that way but can't remember just when I did it but believe it was "before" the infection & case scenario with my neighbor. Thinking back, I believe I shut mine down after my neighbor had problems with an open preview window by getting several virus infections last Fall. However, that is not to say that I may not have forgotten and left mine open after sorting through my mail before deleting. It could have happenedo_Oo_Oo_O?


    Reply: It is the same: 6.00.2800.1106[xpsp1]0208-28-1920


    Reply: Well we were away and as I get an average of 50 plus emails daily, it built up whilst I was trying to catch up. I have finally emptied the folders, did maintenance, so okay that way. However, as previously stated I think that it was RedSherrif [data miner] that was causing my OE to misfunction because after Ad-Aware quarantined it, & I deleted it, my OE is working fine... so, I would guess that Sobig did not have enough time to do damage there. It seems like everything was happening at the same time.


    Reply: Yes, it can be deleted manually or set to be deleted automatically after "X" number of days in quarantine. I did a manual delete instantly.


    Reply: Did that immediately after I ran the removal tool along with internal & external [namely, housecall] scans.


    Reply: Although I have Norton set to update automatically as well as AVG, I do not trust that completely as I am not always online. I check manually like every other day or sooner but never later unless I am away but even then as soon as I return & sign on, I check for updates for everything that needs it. However, I do get busy and sometimes am not able to stick to my schedule.


    Reply: Pete, I believe J.S. Exploit also knocks out Norton. I think I read that somewhere and I think, if memory serves me, that a friend had it knock out their Norton. My neighbor has only Norton and picked up Sobig last year [twice] and it knocked out her Norton also. She also picked up Yaha. Actually, she was in such a mess at one point she could not sign on the internet, or do anything so I downloaded the tools on to a diskette along with printing the instructions and gave them to her. Her OS is WinXP & Norton 2002. So perhaps Sobig was enhanced to do so in order not to be blocked. She also had Klez around the same time. Eventually she had to pay a pro to clean it up for her. I have since discussed security with her and to close her preview pane but she is hard to convince. What can I say??


    Reply: From a discussion board I visit fairly often, many run both and found no interference. In my case, if I remember correctly Norton came on the scene first because that is when I tried to quarantine the worm and it froze with access denied. AVG came on screen on top of Norton and did the quarantine automatically.


    Reply: Thank you, I shall check out the sites and print out the necessary details. Ah, I have learned something new re the re-start of the computer. I admit I fail here as I only did the re-start when prompted. :(


    Reply: :oops: Well, I erred in not working offline on a restart. Yes, I did print out the removal instructions as well as how to disable & enable restore before dealing with the infection. No way on earth I would be able to remember all the details. I am on cable and it is a real pain to get to the back of the CPU to disconnect. Big time error here.


    - Fixed the YABBC tags that caused a page format problem - LWM
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You will like to read in the TDS Helpmanual the "Hunting unknown trojans" , very instructive.

    WG protects you from nasty website stuff entering and activating on your system as well, together with your other security settings.
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske, Hopefully we will be beta testing WG4 soon which will feature regular incremental updates etc + it's already formidable heuristics from WG3 will give us even better protection against all these Nasties!
     
  15. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :-* Thanks everyone for all the good advice. I have no doubt I will purchase WormGuard but will wait for the newer version. Whatever it does, it does well. :) It was proven to me. Pete has recomended SPYAD and shall have it installed today. Actually my little episode was a great learning experience for me - I feel so much smarter. :D Sweet peaches to all of you.
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for the peaches Peaches4u.
    For WG: if this works fine for you, i would not wait for the newer version, as registered users will be upgraded for free, so all this time you know yourself well protected. But do enjoy your evaluation time with it anyway, till you decide to keep it and i hope the newer version is then even closer. Seems really round the corner for beta testing, depending on our finds it can take a few weeks or a little bit longer so keep an eye on our messages :)

    You might like to grab the new free AutostartViewer to look what's all running --it will take a little while to know what is all that, especially on your XP with all the services, but curious as i can be about the system, i like to know. Nothing to install, just upzip it somewhere you like and start it to have a look!

    You have the spy-detection tools, av/at, wg, the whole lot and your growing experience.
    Port Explorer you did look with already for possible connections, so with the whole DCS tools kit you really have something in hands for new layers of security.
    And from there all the joy and fun!
     
  17. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    :'( I am banging my head against the wall again. I disabled my system Restore in WinXP and did the scan again with the FixSobig tool and it reported that nothing was found. Okay, so then I proceeded to set a new restore point but in order to do so I need the Help & Support feature. When I click on it, I get the message that it is not valid - so I could presume that the worm damaged this file. Is there another way I can get around this? I did a disk cleanup including Restore but still WormGuard is stopping System Restore from running. I changed WormGuard to allow SR to run after I did the scans which showed "no infections" but it is still disallowing the file to run. Where to from here? I did a C&P of the details of the file, if one wishes to view what is in there I can post it - I don't understand anything there - oh boy, talk about feeling stupidly frustrated :'( Am a messy peach right now. :(
     
  18. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Re:WormGuard & W32.Sobig.A@MM

    Hi Peaches,

    If this is the message you are getting...

    [​IMG]

    then take a look at this thread regarding possible causes and solutions to this problem...

    https://www.wilderssecurity.com/showthread.php?t=3705;start=45

    Also, to run the interface to System Restore directly, you can enter this in the Start menu > Run... box:

    %windir%\system32\restore\rstrui.exe

    HTH,
    LowWaterMark
     
    Last edited: Apr 24, 2004
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you disable SR > reboot > enable SR and from there try to make the new SR point?
     
  20. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    To LowWaterMark - yes that is exactly the message. I have read the fix and printed it out so that I can follow it step by step. Hope it works .... thanks also for the tip in getting into system restore....

    To Jooske - To be honest I cannot remember if I rebooted or not as I was going step by step from Symantec instructions which did not include a reboot. - I will repeat the process and make sure I do the reboot bit & have made note of it in case I ever needed the info again - heaven forbid. :oops:
     
  21. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    For LWM - To help restore Helpctr.exe in windows I got as far as "pchealth" but it did not have .inf added [searched everywhere] so I right clicked on PCHealth but no instal to click on. :eek: Where to now?

    When dealing with REG_EXPAND_SZ this is what it showed:
    Temp: %SystemRoot%\TEMP
    IMP: %SystemRoot%\TEMP
    Windir: %SystemRoot%

    Under Value data, I typed in C:\\Windows and it replaced the existing Windir. Trying to a new Windir simply gave the message [already exists]. It now reads Windir: C:\\Windows. Is this okay?

    Jooske - I redid the whole process and this time I did all the rebooting - no mistake about it this time. :D
     
  22. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Peaches,

    Okay, in the C:\Windows\Inf\ folder there was no file called "pchealth.inf"? See image below (note, on my system, my Windows folder is actually WinNT, but it is the same thing.) Were there any files in the 'Windows\Inf' folder?

    You said > "so I right clicked on PCHealth but no instal to click on" - Where, which PCHealth, in what folder? What was it's file extension (PCHealth.XXX)?

    Also, Gavin's instructions were these:
    Was the Windir value actually a "REG_SZ" or was it already a "REG_EXPAND_SZ"? That was the key issue there. The circumstance where the "type" of the value was incorrect. That may have been the cause of the issue. Otherwise, if it was already a REG_EXPAND_SZ - it was already okay.

    You said > "I typed in C:\\Windows and it replaced the existing Windir." The instructions said to create a new 'windir' not change the existing one. Also, is "C:\\Windows" a typo? Did you actually mean "C:\Windows" (with only one slash)? That's what was above.

    Did you do the Export function (noted above) first, to save the original settings?

    I'll post a second image (it'll be in the next post) of what my values look like in that section (below). If you can make your list there look like the image below, that would be correct.
     

    Attached Files:

  23. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Here's what that section looks like in my Regedit...
     

    Attached Files:

  24. Peaches4U

    Peaches4U Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    5,070
    Location:
    At my computer
    My registry is identical except for the following exceptions:
    Classpath ....... this item is not in my registry
    Processor Revision ......... 0300 as opposed to yours
    Processor Identifyer ..... Model 3 as opposed to yours.
    Answers to your questions:
    1. REG-EXPAND-SZ was always there - an oversight on my part by not typing it in my post. Apologies .. :oops: I did restore windir to its orginal state.
    2. I did a typo when referring to "C".
    3. Registry disallows another "windir" & requests a different name in order to add C:\Windows under Value data.
    4. Yes, I did do the Export function.
    5. I hit a brick wall at this stage: "To re-instal Help & Support go to C:\Windows\inf\pchealth.inf"
    6. I did a printout of the instructions and followed step by step but am missing something like fully understanding what I am doing.... :(
    7. WG will not allow System Restore to run short of uninstalling the program. I tried to set a new restore point prior to the worm but no deal, it would only set a restore for today which I believe would be useless as it is after the infection.

    Comment: If I go into My Computer, then on "C" , then click on Windows, click on PC Health, "helpctr" is there . When I click on helpctr, there are several folders but found the following are empty: Should they beo_O??

    Batch; System_OEM; Help files; Installed SKU's; Temp.

    That's it for today as I have been virtually glued to this chair - shall veg out and watch TV. :D Will check this board again in the morning with a fresh mind.
     
  25. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Okay, good. Your entries there are all okay then, so that is not the problem. By already being a REG-EXPAND-SZ, there was nothing wrong with your windir. Good! :)
    Yes, that's fine. The main Help programs and dll files are in the \Binaries\ folder. (I have 11 files there - .exe's .dll's and a .cab file.) If you have a similar amount, then it sounds like you probably have all the files, and the environment variables are also okay from what you said above.

    The thread referenced above had another very important thing noted - the existence of 0 KB files, all with the same name as key programs (helpctr.exe, notepad.exe, etc.) These files "get in the way" of running the real programs and are a problem. You may want to look around to see if you have any of those.

    Question: When you go thru the folders noted above... C:\Windows > PCHealth > HelpCtr > Binaries - Can you see HelpCtr.exe? Is it about 676 KB in size? Can you double click it, and if so, will that start the Help & Support Center? If that works, but the Start menu > Help and Support link doesn't, you may have the same problem as others have described in that other thread.

    For myself, I've never had the 0KB file problem, so I don't know any more about how to fix it than what is referenced in the other threads in the DCS sections here. If that is the problem here, then somewhere on your system is probably a file name "helpctr.exe" at 0KB and perhaps that is causing the problem.
    Good idea. It's best to do these things when you are rested. :D

    Start fresh tomorrow and there will be people here to help. :)
     
Thread Status:
Not open for further replies.