No System Restore/no Defrag/No adminstrator rights.

[antioch]

WIN XP SP3 - OE6, IE6
Yet to get round to this months Black Tuesday updates.

Having spent quite a bit of time over the last couple of days, cleaning the
machine of 'nasties' {see post 11 Aug - Strange Start-up}. Problems have
somewhat increased.
I have done three scans with three different pieces of software -
Malwarebytes, Superantispyware, Spybot S & D, plus my ISP's in-house AV and
antispy.
At the last pass earlier today, nothing was found by any of them. I have
not yet done an HJT - thought I would post first in case there are other
ways and means.

I have now discovered that I no longer have Admin permission etc for what
appear to be very minor actions, when one considers what I have been trying
to do as set out below. I tried to DL an update and save to disc which it
would let me do - I was hoping that a Restore Point might have been placed
in System Restore.

However, I have also discovered since the last scans, that I cannot Defrag -
cannot reset System Restore{I have gone through the whole of this - most of
which did not work}
http://bertk.mvps.org/html/srfail.html

I am rather at a loss now as to which course to take.

I cannot even get into Safe Mode with F8 - all I get is the Boot choices.
From the above link, the last two things to try are -

a.. If System Restore fails at this point, reinstall System Restore.
a.. If all else fails perform a Repair Install.

I am rather at a loss now as to which course to take.

I appreciate that I have not fully given full details of what I have done
etc, but this post could have gone on and on.

Rgds
Antioch

 

[Paul]

WIN XP SP3 - OE6, IE6
Yet to get round to this months Black Tuesday updates.

Having spent quite a bit of time over the last couple of days, cleaning the
machine of 'nasties' {see post 11 Aug - Strange Start-up}. Problems have
somewhat increased.
I have done three scans with three different pieces of software -
Malwarebytes, Superantispyware, Spybot S & D, plus my ISP's in-house AV and
antispy.
At the last pass earlier today, nothing was found by any of them. I have
not yet done an HJT - thought I would post first in case there are other
ways and means.

I have now discovered that I no longer have Admin permission etc for what
appear to be very minor actions, when one considers what I have been trying
to do as set out below. I tried to DL an update and save to disc which it
would let me do - I was hoping that a Restore Point might have been placed
in System Restore.

However, I have also discovered since the last scans, that I cannot Defrag -
cannot reset System Restore{I have gone through the whole of this - most of
which did not work}
http://bertk.mvps.org/html/srfail.html

I am rather at a loss now as to which course to take.

I cannot even get into Safe Mode with F8 - all I get is the Boot choices.
From the above link, the last two things to try are -

a.. If System Restore fails at this point, reinstall System Restore.
a.. If all else fails perform a Repair Install.

I am rather at a loss now as to which course to take.

I appreciate that I have not fully given full details of what I have done
etc, but this post could have gone on and on.

Rgds
Antioch

You can run a scan for malware with this.

ftp://downloads2.kaspersky-labs.com/devbuilds/RescueDisk/

kav_rescue_2008.iso 116896 KB 7/20/2009

Download the file. Burn a CD with it. I used Nero to parse
the ISO9660 file and burn a bootable CD with it.

When the CD boots, the first thing the "kav" program does, is
update the virus definitions. I make sure the computer is
able to make connections via DHCP, before booting the CD.
That way, the Gentoo Linux environment on the CD, is able
to use DHCP to get an IP address, and connect to the
Kaspersky server. (If your ADSL modem is logged out,
then "kav" won't be able to update the virus definitions.)
There is no web browser on the CD - the CD is very basic
and has limited onboard tools.

Once the virus update is downloaded, you can select the disks
to scan from the menu. The drive letter labeling isn't exactly
the same as in the Windows environment, so be careful you're
selecting the correct partition to scan. (Partitions are lettered
in sequential order, by scanning the partition table, and may not
match your Windows lettering scheme.) You can scan all the partitions
if you want. Based on experience, I leave this running
overnight, as it takes a lot longer than it should.

The initial scanning is quick enough, but it doesn't take too
long, before the program becomes more lethargic. Which is why,
if your partitions are very big, this scanning takes forever.

On my last test run, I tried downloading the EICAR test file,
just to make sure the scanner has at least one thing to detect.
And indeed, the scanner responded to this. EICAR is a benign
file, intended to test whether scanning software is
actually doing anything or not.

http://en.wikipedia.org/wiki/Eicar_test_file

One of the minor irritations with this rescue CD, is the
CD must stay in the drive. There is a way to get around this.
When the CD starts to boot, there is a boot prompt. You must
start typing immediately. Type at the boot prompt -

rescue docache

What that does, is copies the contents of the CD to RAM.
The CD is only 116896 KB, so most modern systems should
have room to fit that into RAM.

Using the menu on the lower left, open a terminal window.
Identify the mount point of the CDROM. I don't remember
the exact name, but it could be something like "/mnt/cdrom"
or the like. From the prompt in the terminal, type
"umount /mnt/cdrom". Now, press the eject button on the
CDROM tray - the tray should open, if the umount succeeded.
*Very quickly* remove the CD. The drawer will close automatically
in a matter of seconds. I don't know why it is set up that way,
but be careful not to jam your newly made CD in the drawer. I
don't think the environment has an "eject" command, so I couldn't
use that command.

The above allows a scan to be conducted, without WinXP running.
It is one more weapon in your tool belt.

HTH,
Paul

 

[antioch]

You can run a scan for malware with this.

ftp://downloads2.kaspersky-labs.com/devbuilds/RescueDisk/

kav_rescue_2008.iso 116896 KB 7/20/2009

Download the file. Burn a CD with it. I used Nero to parse
the ISO9660 file and burn a bootable CD with it.

When the CD boots, the first thing the "kav" program does, is
update the virus definitions. I make sure the computer is
able to make connections via DHCP, before booting the CD.
That way, the Gentoo Linux environment on the CD, is able
to use DHCP to get an IP address, and connect to the
Kaspersky server. (If your ADSL modem is logged out,
then "kav" won't be able to update the virus definitions.)
There is no web browser on the CD - the CD is very basic
and has limited onboard tools.

Once the virus update is downloaded, you can select the disks
to scan from the menu. The drive letter labeling isn't exactly
the same as in the Windows environment, so be careful you're
selecting the correct partition to scan. (Partitions are lettered
in sequential order, by scanning the partition table, and may not
match your Windows lettering scheme.) You can scan all the partitions
if you want. Based on experience, I leave this running
overnight, as it takes a lot longer than it should.

The initial scanning is quick enough, but it doesn't take too
long, before the program becomes more lethargic. Which is why,
if your partitions are very big, this scanning takes forever.

On my last test run, I tried downloading the EICAR test file,
just to make sure the scanner has at least one thing to detect.
And indeed, the scanner responded to this. EICAR is a benign
file, intended to test whether scanning software is
actually doing anything or not.

http://en.wikipedia.org/wiki/Eicar_test_file

One of the minor irritations with this rescue CD, is the
CD must stay in the drive. There is a way to get around this.
When the CD starts to boot, there is a boot prompt. You must
start typing immediately. Type at the boot prompt -

rescue docache

What that does, is copies the contents of the CD to RAM.
The CD is only 116896 KB, so most modern systems should
have room to fit that into RAM.

Using the menu on the lower left, open a terminal window.
Identify the mount point of the CDROM. I don't remember
the exact name, but it could be something like "/mnt/cdrom"
or the like. From the prompt in the terminal, type
"umount /mnt/cdrom". Now, press the eject button on the
CDROM tray - the tray should open, if the umount succeeded.
*Very quickly* remove the CD. The drawer will close automatically
in a matter of seconds. I don't know why it is set up that way,
but be careful not to jam your newly made CD in the drawer. I
don't think the environment has an "eject" command, so I couldn't
use that command.

The above allows a scan to be conducted, without WinXP running.
It is one more weapon in your tool belt.

HTH,
Paul

Hi Paul
Many thanks for your reply/suggestions.
At the moment, my CD/DVD Rom and/or Nero is playing up as well - so might
have to got out-of-house to handle your suggestion - does not help with
doing a backup and burning with no Admin permission does not help either.
I have done the on-line Symantec but had not thought about Kaspersky.
A lot of what you have suggested is above my comprehension, but I can follow
certain instructions.
If the computer remains stable enough for long enough, I will have a go.
But at the end of the day, a fresh install may be the quickest solution.

Rgds
Antioch

 

[Jose]

Hi Paul
Many thanks for your reply/suggestions.
At the moment, my CD/DVD Rom and/or Nero is playing up as well - so might
have to got out-of-house to handle your suggestion - does not help with
doing a backup and burning with no Admin permission does not help either.
I have done the on-line Symantec but had not thought about Kaspersky.
A lot of what you have suggested is above my comprehension, but I can follow
certain instructions.
If the computer remains stable enough for long enough, I will have a go.
But at the end of the day, a fresh install may be the quickest solution.

Rgds
Antioch

Some of your issues sound like malicious software infections or the
remnants after they are removed. Sometimes these things are not too
hard to resolve.

First, establish a reasonable troubleshooting base if you can still
get on the World Wide Web.

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

Then pick one problem at a time ad fix it - I doubt you will come
across one magic bullet here.

 

[antioch]

Hi Paul
Many thanks for your reply/suggestions.
At the moment, my CD/DVD Rom and/or Nero is playing up as well - so might
have to got out-of-house to handle your suggestion - does not help with
doing a backup and burning with no Admin permission does not help either.
I have done the on-line Symantec but had not thought about Kaspersky.
A lot of what you have suggested is above my comprehension, but I can
follow
certain instructions.
If the computer remains stable enough for long enough, I will have a go.
But at the end of the day, a fresh install may be the quickest solution.

Rgds
Antioch

Some of your issues sound like malicious software infections or the
remnants after they are removed. Sometimes these things are not too
hard to resolve.

First, establish a reasonable troubleshooting base if you can still
get on the World Wide Web.

Download, install, update and do a full scan with these free malware
detection programs:

Malwarebytes (MBAM): http://malwarebytes.org/
SUPERAntiSpyware: (SAS): http://www.superantispyware.com/

They can be uninstalled later if desired.

Then pick one problem at a time ad fix it - I doubt you will come
across one magic bullet here.


Hello
Please read my original post -

Agreed - I think I now have cleaned the system - damage is left.
All four scanners are being done twice a day and so far nothing found for
the last 2 days.

I have not had any problems browsing - so far nothing has been happening -
well
yesterday was the first time - managed to DL and install all the Black
Tuesday updates. Could not burn to disc though - needed admin permission,
but could save to desktop - which seems a bit daft.

MBAM/SAS are permanent features on my system - see orig post.

I am now working on each bit of 'damage' left - no System Restore[even the
install of the updates produced nothing, and they have stuck] - minor admin
permissions for certain functions - cannot defrag - cannot get into safe
mode[F8].

I am browsing and looking through saved troubleshooting stuff and compiling
what help I can find - I am concentrating on the System Restore first.

As yet I have not done an HJT as IE6 seems stable.

Thanks for your interest in my post.

Rgds
Antioch

 

[Jose]

Hello
Please read my original post -

Agreed - I think I now have cleaned the system - damage is left.
All four scanners are being done twice a day and so far nothing found for
the last 2 days.

I have not had any problems browsing - so far nothing has been happening -
well
yesterday was the first time - managed to DL and install all the Black
Tuesday updates.  Could not burn to disc though - needed admin permission,
but could save to desktop - which seems a bit daft.

MBAM/SAS are permanent features on my system - see orig post.

I am now working on each bit of 'damage' left - no System Restore[even the
install of the updates produced nothing, and they have stuck] - minor admin
permissions for certain functions - cannot defrag - cannot get into safe
mode[F8].

I am browsing and looking through saved troubleshooting stuff and compiling
what help I can find - I am concentrating on the System Restore first.

As yet I have not done an HJT as IE6 seems stable.

Thanks for your interest in my post.

Rgds
Antioch

Good. Just wanted to get you at some kind of known condition.

Sometimes when the malware is removed, things still need to be fixed
by hand. MS updates are unlikely to fix these relatively common after
effects of a malware attack.

If you want to start with your SR, you need to define what "no System
Restore" means.

If you leave the problem up for interpretation ("no System Restore"),
you may get lots of ideas that are not your problem.

For example, you don't see SR in System Tools, you see it but it won't
launch, it launches but no calendar, the calendar shows up but no RPs
are listed, you choose a RP but get an error, etc.

You need to post a specific error message and/or more details.

The more details you provide,the faster you can fix it.

 

[antioch]

Hello
Please read my original post -

Agreed - I think I now have cleaned the system - damage is left.
All four scanners are being done twice a day and so far nothing found for
the last 2 days.

I have not had any problems browsing - so far nothing has been happening -
well
yesterday was the first time - managed to DL and install all the Black
Tuesday updates. Could not burn to disc though - needed admin permission,
but could save to desktop - which seems a bit daft.

MBAM/SAS are permanent features on my system - see orig post.

I am now working on each bit of 'damage' left - no System Restore[even the
install of the updates produced nothing, and they have stuck] - minor
admin
permissions for certain functions - cannot defrag - cannot get into safe
mode[F8].

I am browsing and looking through saved troubleshooting stuff and
compiling
what help I can find - I am concentrating on the System Restore first.

As yet I have not done an HJT as IE6 seems stable.

Thanks for your interest in my post.

Rgds
Antioch

Good. Just wanted to get you at some kind of known condition.

Sometimes when the malware is removed, things still need to be fixed
by hand. MS updates are unlikely to fix these relatively common after
effects of a malware attack.

If you want to start with your SR, you need to define what "no System
Restore" means.

If you leave the problem up for interpretation ("no System Restore"),
you may get lots of ideas that are not your problem.

For example, you don't see SR in System Tools, you see it but it won't
launch, it launches but no calendar, the calendar shows up but no RPs
are listed, you choose a RP but get an error, etc.

You need to post a specific error message and/or more details.

The more details you provide,the faster you can fix it.

Hello again

System Restore -
There are no checkpoints/restore points entered - the last time I looked and
saw some, was about 9 August - there were at least a dozen or more.
Recent WIN updates produced no entries at all - normally do - when one
installs a box always says 'setting restore point'.
I have tried creating a restore point as 'TEST' and have put a folder on the
desktop called 'TEST'.
When I create the 'TEST' checkpoint I get 'Restore Point is not able to
create a restore point. Please restart the computer and then run Restore
Point again'
I have tried dozens of times - it will not create after reboot. The above is
still the current position.

I am currently waiting for a reply in Spyware Warrior.

Rgds
Antioch

 

[PA Bear [MS MVP]]

Your thread: http://www.spywarewarrior.com/viewtopic.php?t=31278

PS: Authenium = RadialPoint = Virgin Broadband's PCGuard suite freebie =
Zero Knowledge (the similar NTL freebie)

Yes, it is a POS and very difficult to uninstall/remove, if need be.

Your computer's seriously compromised, antioch. I'd wipe & reload IIWY.
--
~PA Bear
www.banthecheck.com


antioch wrote:

 

[antioch]

Your thread: http://www.spywarewarrior.com/viewtopic.php?t=31278

PS: Authenium = RadialPoint = Virgin Broadband's PCGuard suite freebie =
Zero Knowledge (the similar NTL freebie)

Yes, it is a POS and very difficult to uninstall/remove, if need be.

Your computer's seriously compromised, antioch. I'd wipe & reload IIWY.
--
~PA Bear
www.banthecheck.com


antioch wrote:

Hi PA
You nosey old bu---- I knew I should have used a different handle

NTL/Virgin Media this week have updated there AV suite to Kaspersky stuff.
Currently waiting to be offered the install and see if it works any better
than the other crap/bloatware. I asked Virgin re the Authentium - never
heard of it.
I even asked what Pest Patrol was doing on my computer - at first denied
then admitted it was part of eTrust Pest Patrol - another piece of SH one
Tee.
But I did not see this eTrust in the HJT lists.
It sure is hell to uninstall - [like McA and Norton] - but if you know the
order in which to do it, then OK.
Yes, it is free to a certain level of service paid for. But it has IMHO the
best antispam I have come across - I have tried a few - my honey-pot email
gets everything in my 'mail box' - nothing gets through to the computer - it
caught and fixed the very early .gif spam/phishing stuff.
What is strange - had this happen 5-6 years ago - my computer is running
like a dream at startup and shutdown - last time it was very very slow.
I will wait and get through current problems and see if the new one with
Kaspesky is any good - the newsgroups will soon report on its effectiveness.
I just hope the antispam is not changed.

Oh and thanks a lot for your optimistic prognosis in the last line - most
encouraging.
Whose guide/help do you recon is the best - just one please - thats put you
on the spot
I will not bother to let you know how things go in SW - you will probably
know before me. For the moment I am staying off the browser and waiting for
that email.

Nice to hear from you

Rgds
Antioch

 

[PA Bear [MS MVP]]

antioch wrote:

Whose guide/help do you recon is the best - just one please - thats put
you
on the spot

They don't let just anyone handle threads there. You'll be in fine hands,
no matter who handles your thread.

Tip: Give your handler a link to your newsgroup thread, if you want, but
don't reply to your thread until a handler has. Good luck.

 

[antioch]

antioch wrote:


They don't let just anyone handle threads there. You'll be in fine hands,
no matter who handles your thread.

Tip: Give your handler a link to your newsgroup thread, if you want, but
don't reply to your thread until a handler has. Good luck.

Be sure that I will wait the five days for a reply - I should get an email
warning, I believe.
I am sure that I will be in good hands - I was when I used CastleCops -
shame they went.
Thanks for the good wishes.

Rgds
Antioch

 

[antioch]

Hello PA
Just to let you know, I was held by the hand in Spyware Warrior and after a
few days I was declared 'clean'.
The system is running better than ever. All the problems I had have been
resolved.
I can certainly recommend SW - but they are very very busy - so be patient
waiting to get their help if you go there.
Popping over to 'Updates' now.

Rgds to all

Antioch

 

[PA Bear [MS MVP]]

Interesting thread and you were indeed in very fine hands:
http://www.spywarewarrior.com/viewtopic.php?t=31278

Tip: Get rid of that (Radialpoint) PCGuard suite ASAP!