XP started slow and wouldn't access the net.

[mm]

Sort of a long question. Sorry.

I'm having major problems with winXP home, and can't access the Net
with my browsers, Firefox 3 and IE6, nor can I update my AVG or Spybot
S&D definitions.

Nor will ZoneAlam and the real-time virus detection of AVG start up.
(The only errors in Event Viewer relate to ZoneAlarm and AVG)

But Eudora works for email and Agent works for Usenet.

(Woth some XP Services disabled, IE will work, sometimes).


All of a sudden one day, XP started taking 15 minutes to open and
after it did, I couldn't access the web. (I had only instealled XP
two months earlier, on the same harddrive with win98SE but in a
different partition.)

I went to msconfig.exe, system configuration utility, and unchecked
all the Services and Start-up programs, and then XP would open in the
normal amount of time. I then started rechecking them, 1/3 of them at
a time, narrowing in on the problem ones.

It seems that two of the Services are causing the problems,

1) Shell Hardware Detection, which posts I found on google aassociate
with very slow starting, and

2) Windows Time

3) (A third one, Network Access Protection Agent, seemed to be causing
problems, but that's not clear now, and it's checked now).

When the third one NAPAgent wasn't checked, I could get News through
Agent and Email with Eudora, but neither FF3 or IE6 would get a url.
(Nor could I nor can I update my AVG or Spybot S&D definitions.)

So I checked NAPAgent and restarted and now IE works, at least it did,
but FF3 won't fill in any tabs with what it had during the previous
good session, let alone fetch a new url. Earlier in the debugging
above, when Services things were checked, it would load some of the
previously open tabs, but wouldn't successfully respond to Forward or
Back and wouldn't retrieve a url that wasn't in a tab the last time I
closed FF, the night before the XP problem started, in July.

Is there a difference between FF and IE?

Does it have anything to do with ZoneAlarm not running? When I first
got a firewall many years ago, I had to change a proxy setting in
Netscape if I was using it, and change it back if I wasn't using the
firewall, but in the last few years, I've gotten the impression that
Netscape and Firefox and IE will run whether the firewall is running
or not. For one thing, when I've been running out of ram, I've closed
ZoneAlarm completely and the browser still worked. And right now I
can't find any proxy settings in FF or IE preferences anyhow.


Because I also can't run most of AVG antivirus, or ZoneAlarm, and no
matter what combination of Services have been checked, since the XP
problem started, I havent' been able to dl new definitions for AVG or
Spybot S&D. I did however scan the harddrive with both of those two,
using the old defintions, and all they found were a bunch of tracking
cookies, which I deleted. I don't think I have a virus, since I
don't think I've ever had one and I don't do virus-vulnerable things,
like open attachments, but since the virus definition lists runs at
least a day or two behind the existence of viruses, if it was a brand
new virus, my AVG woudln't have known about it and still wouldn't.



Also, the day before these problem started, I had installed the FF
add-on, Stylish 1.0.5, and it worked great. I ran with it for hours,
but after I restarted windows, about then my problems seemed to start.

I've uninstalled Stylish, and all the other add-ons are disabled.
Could one still be causing problems, even before I start Firefox?

Could installing Stylish have somehow screwed up the two XP Services
that don't seem to work now? Something that spans windows sessions so
that Firefox doesn't have to be started for there to be problems with
XP?

I have the original XP CD and the license number.

What should I do?

Should I do a repair install?

Thanks a lot for any help.

 

[mm]

I'm having major problems with winXP home,

XP Home, SP3, installed two months before the problems started

and can't access the Net

Can't access the web, or update AVG and Spybot definitions.

I can still access pop mail and Usenet.

with my browsers, Firefox 3 and IE6, nor can I update my AVG or Spybot
S&D definitions.

Sorry for the omissions.

 

[Elmo]

XP Home, SP3, installed two months before the problems started


Can't access the web, or update AVG and Spybot definitions.

I can still access pop mail and Usenet.


Sorry for the omissions.

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

 

[mm]

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it.
BitDefender also has a Rootkit checker on the Linux Desktop; run it if
you think that's the problem:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Download the executable rather than the .iso image, if one is
available.. it prompts you to insert a CD and burns the file, no problem.

Then run these:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

SuperAntispyware
http://www.superantispyware.com/superantispywarefreevspro.html

Thanks a lot. Since I have win98SE and winXP on the same box,
different partitions, could I run these things successfully on the XP
partition while using win98. That way I could still read webpages
while the scans are running.

In fact, do I have to burn the programs to a CD or can I just download
them on this box and run them from this partition, checking out the
other partition?

 

[Elmo]

Thanks a lot. Since I have win98SE and winXP on the same box,
different partitions, could I run these things successfully on the XP
partition while using win98. That way I could still read webpages
while the scans are running.

In fact, do I have to burn the programs to a CD or can I just download
them on this box and run them from this partition, checking out the
other partition?

Knoppix Live is made to run from RAM. That's the perfect platform for a
malware check since nothing can start from the hd. Since it'll be
checking every file, I doubt you'd be able to use the machine
effectively. But just run it while you sleep and remove any infections
the next morning.

 

[Elmo]

You are right. It was a silly question on my part.


That's what I did.

Unfortunately, BitDefender found several threats, and I quarantined
them. But two were email mailboxes, not my most important, but I've
decided nothing in them, certainly nothing listed, was causing
problems in winXP and I want them back, and I can't find them. I know
where they were and they're not there. And I searched the whole
computer and they're not anywhere. Plus the HOME directory isn't
anywhere, and that's where it said it put them.

I'm thinking it quarantined them and put them in the RAM disk, which
disappeared as soon as I started to reboot the computer.

If I'm right this is very bad.

I can retrieve these from my backup, but it's just a bad system, if
I'm right. It's as if they used the same procedure when booting
from a CD as when running from the OS, except they used a Ramdrive to
store quarantined files.

But I don't blame you.

I'm going to run the other two you listed tonight and tomorrow night.

Sorry, I don't know where the files are quarantined. I did a search for
references to where they might be written, but didn't find anything.
But a Windows advanced search for files written the day of the scan
might help you locate the files, if they were written to the hard drive.

 

[Daave]

You are right. It was a silly question on my part.


That's what I did.

Unfortunately, BitDefender found several threats, and I quarantined
them. But two were email mailboxes, not my most important, but I've
decided nothing in them, certainly nothing listeed, was causing
problems in winXP and I want them back, and I can't find them. I know
where they were and they're not there. And I searched the whole
computer and they're not anywhere. Plus the HOME directory isn't
anywhere, and that's where it said it put them.

I'm thinking it quarantined them and put them in the RAM disk, which
disappeared as soon as I started to reboot the computer.

I think you are correct. See this page:

http://forum.bitdefender.com/index.php?showtopic=13441

Hindsight is unfortunately 20/20, but it would have been better to note
the files and move them yourself to something like a flash drive. I
suggest Elmo include this information in the future when he makes the
otherwise good recommendation to use a rescue CD.

If I'm right this is very bad.

I can retrieve these from my backup, but it's just a bad system, if
I'm right. It's as if they used the same procedure when booting
from a CD as when running from the OS, except they used a Ramdrive to
store quarantined files.

What kind of backup do you have?

For malware scanning and removal, you should benefit by reading this
page:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

[Daave]

Sort of a long question. Sorry.

I'm having major problems with winXP home, and can't access the Net
with my browsers, Firefox 3 and IE6, nor can I update my AVG or Spybot
S&D definitions.

Nor will ZoneAlam and the real-time virus detection of AVG start up.
(The only errors in Event Viewer relate to ZoneAlarm and AVG)

But Eudora works for email and Agent works for Usenet.

(Woth some XP Services disabled, IE will work, sometimes).


All of a sudden one day, XP started taking 15 minutes to open and
after it did, I couldn't access the web. (I had only instealled XP
two months earlier, on the same harddrive with win98SE but in a
different partition.)

I went to msconfig.exe, system configuration utility, and unchecked
all the Services and Start-up programs, and then XP would open in the
normal amount of time. I then started rechecking them, 1/3 of them at
a time, narrowing in on the problem ones.

It seems that two of the Services are causing the problems,

1) Shell Hardware Detection, which posts I found on google aassociate
with very slow starting, and

2) Windows Time

3) (A third one, Network Access Protection Agent, seemed to be causing
problems, but that's not clear now, and it's checked now).

When the third one NAPAgent wasn't checked, I could get News through
Agent and Email with Eudora, but neither FF3 or IE6 would get a url.
(Nor could I nor can I update my AVG or Spybot S&D definitions.)

So I checked NAPAgent and restarted and now IE works, at least it did,
but FF3 won't fill in any tabs with what it had during the previous
good session, let alone fetch a new url. Earlier in the debugging
above, when Services things were checked, it would load some of the
previously open tabs, but wouldn't successfully respond to Forward or
Back and wouldn't retrieve a url that wasn't in a tab the last time I
closed FF, the night before the XP problem started, in July.

Is there a difference between FF and IE?

Does it have anything to do with ZoneAlarm not running? When I first
got a firewall many years ago, I had to change a proxy setting in
Netscape if I was using it, and change it back if I wasn't using the
firewall, but in the last few years, I've gotten the impression that
Netscape and Firefox and IE will run whether the firewall is running
or not. For one thing, when I've been running out of ram, I've closed
ZoneAlarm completely and the browser still worked. And right now I
can't find any proxy settings in FF or IE preferences anyhow.


Because I also can't run most of AVG antivirus, or ZoneAlarm, and no
matter what combination of Services have been checked, since the XP
problem started, I havent' been able to dl new definitions for AVG or
Spybot S&D. I did however scan the harddrive with both of those two,
using the old defintions, and all they found were a bunch of tracking
cookies, which I deleted. I don't think I have a virus, since I
don't think I've ever had one and I don't do virus-vulnerable things,
like open attachments, but since the virus definition lists runs at
least a day or two behind the existence of viruses, if it was a brand
new virus, my AVG woudln't have known about it and still wouldn't.



Also, the day before these problem started, I had installed the FF
add-on, Stylish 1.0.5, and it worked great. I ran with it for hours,
but after I restarted windows, about then my problems seemed to start.

I've uninstalled Stylish, and all the other add-ons are disabled.
Could one still be causing problems, even before I start Firefox?

Could installing Stylish have somehow screwed up the two XP Services
that don't seem to work now? Something that spans windows sessions so
that Firefox doesn't have to be started for there to be problems with
XP?

I have the original XP CD and the license number.

What should I do?

Should I do a repair install?

Thanks a lot for any help.

If you have a situation where security programs are being disabled, that
is a sign you have a malware infection. If you have multiple infections,
the wisest action is to perform a Clean Install. Otherwise, this page
should help you out:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

 

[mm]

If you have a situation where security programs are being disabled, that
is a sign you have a malware infection. If you have multiple infections,
the wisest action is to perform a Clean Install. Otherwise, this page

A Clean Install is one that will mean starting over again with none of
my data installed, nor my settings nor preferences, nor any of the
programs that I've installed, is that right?

So there's a lot of work left to do after the XP install to get things
the way they were.

Is it possible to do a Repair Install that will overlay all the XP
files with the original files in XP and the SP's? I'd rather try that
before a clean install. Is it possible that would fix it?

should help you out:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

I've started, but I need to read carefully.


Thanks

 

[Ken Blake, MVP]

A Clean Install is one that will mean starting over again with none of
my data installed, nor my settings nor preferences, nor any of the
programs that I've installed, is that right?

Yes.



So there's a lot of work left to do after the XP install to get things
the way they were.

Yes.


Is it possible to do a Repair Install that will overlay all the XP
files with the original files in XP and the SP's? I'd rather try that
before a clean install. Is it possible that would fix it?

Is a repair installation possible? Yes, probably. Is that likely to
fix a malware infection. No, it's highly unlikely to be of any help at
all.

On the other hand it doesn't hurt to try it before doing a clean
installation.

 

[mm]

I think you are correct. See this page:

http://forum.bitdefender.com/index.php?showtopic=13441

Wow they know about it, for 2 and a half years!!!

"Technical Support
Group: Technical Support
Posts: 730
Joined: 27-March 07
From: Bucharest, Romania
Member No.: 58

Hello mnboone,

The BitDefender rescue CD uses your computer's RAM memory to boot and
scan the hard drive. Due to the fact that the quarantine is stored in
RAM and this is a volatile memory, if one of the files from the scan
is stored there it will be deleted when you restart the system.

Unfortunately there isn't any way to retrieve that file at this stage."

I think they shouyld stop calling it "Quarantine" then. If we used
that in the medical world, someone quarantined with tuberulosis or the
flu would be shot and killed!

They had a separate option called Delete, but for a first time user,
they are the same thing.

In the next post she says:
"The only way to save the files in the quarantine is to run the scan
hen save them onto a USB stick or any type of physical memory, then
restart the computer."

I'm annoyed at them and I don't feel like restarting it to check, but
when I did it, I didn't see any way to save anything on a USB stick,
and more importantly, I saw nothing that said they would be deleted as
soon as one started to reboot.

They never said it would be stored in RAM. I only knew about the RAM
drive because I carefully read all the start-up lines. What is the
point of storing it in RAM, when the user can't access the RAM!

For that matter, there were user-settable settings, but the thing
plunged into scanning without giving the user a chance to set them,
and without mentioning that they existed. Only after the scan was over
did these options appear.

Yesterday I was just disappointed. Now that I know they knew about
this more than 2 years ago, I'm annoyed, angry even.

They also say there is a Disinfect option, so plainly they are set up
to write to my harddrive. If so, they could create a folder with a
name no one else uses and put the truly-quarantined files there.

Hindsight is unfortunately 20/20, but it would have been better to note
the files and move them yourself to something like a flash drive. I

I certainly see your point. I didnt' anticipate this happening.

And the names were very long, and not fully names that I was used to
using. I don't know how the names got assigned. My mailboxes are in
C:\data\eudora7\ , a very short simple name, but that's not the folder
was specified in the results list.

I wasn't even sure what partition was being scanned, because it
referred to them as xxxa and xxxb. I forget what xxx was, and neither
a nor b was C or D, my two partitions. a might have been C, but I
know my win98 files a lot better than winxp files and there were an
awful lot that I didnt' recognize.

I thought I was being cautious by spending so much time looking at the
file names.

suggest Elmo include this information in the future when he makes the
otherwise good recommendation to use a rescue CD.

Someone should tell the writers of bitdefender. Wait, they already
know but don't tell anyone until after it's too late.

What kind of backup do you have?

A big external harddrive.

For malware scanning and removal, you should benefit by reading this
page:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

Yes, I am reading it.

Thanks.

 

[Daave]

A big external harddrive.

What I meant was type of backup did you perform? (Not where you saved
it.)

That is, did you use a backup program or did you simply use Windows
Explorer to copy files? If you used a program, which one did you use
(and do you have a bootable rescue CD if it)? Did you image the hard
drive (or partition) or copy data only?

Yes, I am reading it.

Thanks.

YW.

 

[mm]

Wow they know about it, for 2 and a half years!!!

My mistake. Sorry This person joined 2.5 years ago. The thread date
was only at the top, May 7 2009, 04:03 PM, but that's still 6 months
ago, and her reply makes it seem that they know about the problem and
have no intention of doing anything.

I think they shouyld stop calling it "Quarantine" then. If we used
that in the medical world, someone quarantined with tuberulosis or the
flu would be shot and killed!

They had a separate option called Delete, but for a first time user,
they are the same thing.

And for repeat users if they never checked what happened to other
things they "quarantined".

 

[mm]

What I meant was type of backup did you perform? (Not where you saved
it.)

That is, did you use a backup program or did you simply use Windows
Explorer to copy files? If you used a program, which one did you use

I used XXCOPY with the /CLONE option. It's a DOS program, and afaik
has no relevant bugs. (Judging from the webpage and the yahoo mailing
list, where the author himself answers questions several days a week.)

It copies hidden and system files and says what files it hasn't
copied, and writes a report to a file. It only copies files that have
been changed, and I exclude:
d:hiberfil.sys
dagefile.sys
d:\found.*
d:\windows\win386.swp
d:\temp\
d:\tmp\
d;\windows\temp\
"d:\windows\temporary internet files\"
d:\recycled\

I run it from win98 which is on the same computer (so I don't think
there were any files it didn't copy), and I backup win98 from WinXP.

(and do you have a bootable rescue CD if it)?

I think I downloaded one and burned it, but didnt' know what to do
with it when I ran it.

Did you image the hard
drive (or partition) or copy data only?

Data only.

 

[Daave]

I used XXCOPY with the /CLONE option. It's a DOS program, and afaik
has no relevant bugs. (Judging from the webpage and the yahoo mailing
list, where the author himself answers questions several days a week.)

It copies hidden and system files and says what files it hasn't
copied, and writes a report to a file. It only copies files that have
been changed, and I exclude:
d:hiberfil.sys
dagefile.sys
d:\found.*
d:\windows\win386.swp
d:\temp\
d:\tmp\
d;\windows\temp\
"d:\windows\temporary internet files\"
d:\recycled\

I run it from win98 which is on the same computer (so I don't think
there were any files it didn't copy), and I backup win98 from WinXP.


I think I downloaded one and burned it, but didnt' know what to do
with it when I ran it.


Data only.

The good news is whatever was deleted (through the apparently misnamed
"quarantine" option) still exists.

 

[mm]

The good news is whatever was deleted (through the apparently misnamed
"quarantine" option) still exists.

Yes, I'll look on the bright side.