Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PSguard and the missing wininet.dll file! [RESOLVED]


  • This topic is locked This topic is locked

#1
dweebosh

dweebosh

    Member

  • Member
  • PipPip
  • 37 posts
My laptop is infected with PSguard!

To make matters even worse, I'm missing my wininet.dll file and windows is running extremely slowly! A 'helpful' friend attempted to remove PSguard by deleting all items detected by HijackThis. I don't know whether this or the spyware was responsible for deleting my wininet.dll file. I downloaded a replacement (http://www.dll-files...s.shtml?wininet) and dropped it in the windows sytem folder, but windows is still running VERY slowly and is prone to freezing/crashing.

Following some of the steps detailed in previous threads on PSguard seems to have disabled the spyware (no more red icon in the system tray or 'Warning' wallpaper). However, SpySweeper keeps detecting PSguard (along with HereToFind and Tubby Toolbar?). I haven't been able to follow all the steps fully and need a little additional help!

I have tried rebooting in safe mode and running smitRem, Ad-Aware and SpySweeper, but I can't download Ewido to finish the process (am running Windows Me). Please help me get my laptop up and running again!!! :tazz:

Ad-Aware SE

ArchiveData(auto-quarantine- 2005-08-04 17-12-47.bckp)
Referencefile : SE1R59 02.08.2005
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[1]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\.XML
obj[2]=MRU RegReference : .DEFAULT\software\microsoft\windows\currentversion\explorer\recentdocs\Folder

MALWARE.PSGUARD
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=File : C:\_RESTORE\TEMP\A0056091.1

WIN32.TROJAN.BYTEVERIFY.A
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[3]=File : C:\_RESTORE\TEMP\A0056120.0

CYDOOR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[4]=File : C:\_RESTORE\TEMP\A0056122.0

LITMUS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=File : C:\_RESTORE\TEMP\A0057525.0

ALERTSPY
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[6]=File : C:\Program Files\HijackTools\SETUP.EXE


smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! ;)



Logfile of HijackThis v1.99.1
Scan saved at 17:20:28, on 04/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HIJACKTOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRAM FILES\HIJACKTOOLS\AD-AWARE\AD-AWARE.EXE" "+b1"
O4 - Startup: Real-time monitor.lnk = C:\Program Files\Trend PC-cillin 2000\PCCIOMON.exe
O4 - Startup: WallMaster.lnk = C:\WINDOWS\Wallpaper\WallMaster\wallmast.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

OK, Windows 98 and ME users will have this problem if they don't fix it correctly :tazz:

Let's try this to see if it will fix it up. Go to http://windowsupdate.microsoft.com/ and look for the MS05-020 update. Install that and see if it repairs the problem.

I need to take a look again to make sure you are clear once you completed the above. So post back when you are done.
  • 0

#3
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi greyknight, thanks for getting back to me!

I've downloaded all the critical files that Windows update offered for Me, but I couldn't find a Me-specific patch in the MS05-020 bulletin (tried a couple of the listed downloads but without success - looks like I'm now running IE 6 after downloading the Me critical updates!? :) )

I've just run panda active scan, HijackThis and smitRem over again;

PANDA
Incident Status Location

Spyware:spyware/istbar No disinfected Windows Registry
Dialer:Dialer.NQ No disinfected C:\WINDOWS\msxmidi.exe.tcf
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\PFHB.0
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0055957.CPY
Virus:Bck/Agent.AFZ Disinfected C:\_RESTORE\TEMP\A0055970.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0056036.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0056037.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0056119.CPY
Virus:Trj/ComSys.A Disinfected C:\_RESTORE\TEMP\A0056120.1
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\TEMP\A0056122.1
Virus:Trj/Sysgotem.B Disinfected C:\_RESTORE\TEMP\A0057525.1
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0057832.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0058497.CPY
Dialer:Dialer.NQ No disinfected C:\_RESTORE\TEMP\A0060416.CPY
Adware:Adware/SearchExe No disinfected C:\Program Files\backups\backup-20050802-184958-959.dll
Adware:Adware/SearchExe No disinfected C:\Program Files\backups\backup-20050802-185259-725.dll
Possible Virus. No disinfected C:\Program Files\HijackTools\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Virus:Trj/Downloader.BF Disinfected C:\mssysinf.exe


HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 10:43:00, on 05/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\HIJACKTOOLS\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\HIJACKTOOLS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\HIJACKTOOLS\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Real-time monitor.lnk = C:\Program Files\Trend PC-cillin 2000\PCCIOMON.exe
O4 - Startup: WallMaster.lnk = C:\WINDOWS\Wallpaper\WallMaster\wallmast.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


smitRem log file
version 2.3

by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Present!!


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system folder ~~~




~~~ Icons in system folder ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~~ wininet.dll ~~~~

wininet.dll Clean!! :(


Looks like I have more problems than I realised ;) It now takes about 1min for the contents of 'My Computer' to be displayed following startup. After this, things seem to speed up a bit - still prone to freezing though. On last startup I got this error message; Cannot find C:\WINDOWS\pavdr.exe you may have typed the file name incorrectly in the run dialog box or another open program cannot find a system file!

Thanks for your time on this (especially since the damage isn't all spyware inflicted!) I really appreciate the effort! Sorry for any delay in replying, my laptop only has dial-up. The downloads take an age (I've been copying all the anti-spy software across from my desktop at work).

PS: Ad-Aware keeps picking up these files but is unable to delete them;
C:\_RESTORE\TEMP\A0056091.1
C:\_RESTORE\TEMP\A0056120.0
C:\_RESTORE\TEMP\A0056122.0
C:\_RESTORE\TEMP\A0057525.0
C:\_RESTORE\TEMP\A0060170.0
Each time I allow Ad-Aware to 'delete on reboot' the suffix for each of these files seems to change (cycles between .0 .1 and .cpy). Don't know what to do about these? Can I delete these with Killbox without making matters worse? :tazz:
Thanks for all your help!

Edited by dweebosh, 05 August 2005 - 09:18 AM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I'm not sure if you have the correct wininet.dll file though. I want you to insert your Windows ME CD into your cd drive and then go to My Computer. Right click on the drive and choose Search. Search for wininet.dll. If the search window has options to "search within archives" or something like that, I want you to check the box so it searches in them also. See if you can find that file on the CD. Tell me where it's located (and also in what .cab file - if it is indeed located in a CAB file).

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

This should fix those RESTORE problems :tazz:
Go to Start->Settings->Control Panel and double-click on the System icon. On the Performance tab click File System. Click the Troubleshooting tab, and then check 'Disable System Restore'. Click OK. Click Yes when you are prompted to restart Windows. I want you to immediately go back and uncheck that box now to create a new restore point.


Download CWShredder at http://www.greyknigh.../CWShredder.exe. Don't run it yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers.

Run CWShredder. Click on 'I Agree' button if you agree. Click on 'Fix' (it will automatically fix anything it finds for you) and then click OK. If it asks if you want to delete a certain random file, choose No and post that filename here. Let it finish the scan and then hit Next and Exit.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\msxmidi.exe.tcf
C:\Program Files\backups\backup-20050802-184958-959.dll
C:\Program Files\backups\backup-20050802-185259-725.dll


Restart and run a new HijackThis scan. Save the log file and post it here. Also run a new Panda scan and give me that log as well.
  • 0

#5
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks very much for your help. I'll get right on this then post back ASAP (just need to relocate my Windows Me CD first!!!) Thanks for your patience :tazz:
  • 0

#6
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi greyknight

System restore was already disabled when I looked (may have been part of my friend's earlier attempts to help me out?) so I toggled this on, then off, then on again with reboots in between (system restore is currently enabled).

When I rebooted in safe mode I received an odd error message from Microsoft directdraw?! 'You must be running in 256 color mode or higher...' not sure what this was all about?

CWS came up clean - nothing to fix. HJT didn't report any of the files you listed, just similar lines without the 'about: blank' part, so I didn't fix any of the files listed. Couldn't find the MSXmidi file (already deleted?) but located the backup files you specified and deleted those.

Logfile of HijackThis v1.99.1
Scan saved at 11:39:06, on 06/08/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\LTSMMSG.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\HIJACKTOOLS\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\TREND PC-CILLIN 2000\PCCIOMON.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\PROGRAM FILES\HIJACKTOOLS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BTopenworld
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\HIJACKTOOLS\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: Real-time monitor.lnk = C:\Program Files\Trend PC-cillin 2000\PCCIOMON.exe
O4 - Startup: WallMaster.lnk = C:\WINDOWS\Wallpaper\WallMaster\wallmast.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab


Panda
Spyware:spyware/bargainbuddy No disinfected Windows Registry
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\PFHB.1
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0055957.0
Virus:Bck/Agent.AFZ Disinfected C:\_RESTORE\TEMP\A0055970.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0056036.CPY
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0056037.0
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0056119.0
Virus:Trj/ComSys.A Disinfected C:\_RESTORE\TEMP\A0056120.0
Spyware:Spyware/Cydoor No disinfected C:\_RESTORE\TEMP\A0056122.1
Virus:Trj/Sysgotem.B Disinfected C:\_RESTORE\TEMP\A0057525.0
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0057832.0
Adware:Adware/PsGuard No disinfected C:\_RESTORE\TEMP\A0058497.0
Dialer:Dialer.NQ No disinfected C:\_RESTORE\TEMP\A0060416.0
Virus:Trj/Downloader.BF Disinfected C:\_RESTORE\TEMP\A0062995.0
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0064653.CPY
Adware:Adware/SearchExe No disinfected C:\_RESTORE\TEMP\A0064654.CPY


Panda active scan still seems to be detecting a lot of bad stuff :tazz: and I haven't been able to locate the wininet.dll file yet (or rather, my Windows Me CD! I'll track this down and post the file location ASAP).

Thanks for your continuing support! ;)
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, restart and hit F8 to get the boot screen. Choose the command prompt option. Then let it finish loading until it waits for a user response (blinking underscore). Type in the following:

rmdir /q C:\_RESTORE\TEMP\*.*

and hit Enter. Any error messages? If not, it went through ok. Hit ctrl+alt+del to restart. Run new Panda scan.

Did you locate the wininet.dll file yet?
  • 0

#8
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
I don't see a command prompt option on the boot screen! (sorry if I'm missing something obvious here?) I have a menu listing four options: 1. Normal, 2. Logged (\BOOTLOG.TXT), 3.Safe mode, 4. Step-by-step confirmation.

I can't see how I access command prompt, am I doing something wrong? :tazz: I hope to address the wininet.dll issue in the next couple of days (my Windows Me CD was at a different address - this is in the post to me now).

Many thanks!
  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Try this link for instructions on how to get into it :tazz:
  • 0

#10
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Sorry, but I still think I'm missing a trick?! I followed the instructions provided by your link but still received the same options upon reaching the boot screen. At the moment, the only difference is that I no longer need to press F8 to access the boot screen - should there be additional options here now?

If I simply wait for the countdown to reach 0, the sytem continues to load windows. Am I supposed to boot into safe mode then choose DOS prompt via the start menu? I apologise if I'm making a meal out of this unnecessarily!

Many thanks!

(EDIT: Am I lacking the DOS prompt option because I'm running Me?)
http://www.duxcw.com...rtup/page1.html

Edited by dweebosh, 08 August 2005 - 04:28 AM.

  • 0

Advertisements


#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Ahh, you may be right there. I never liked Windows ME because it was more complicated than the other versions (newer or older than it :tazz: ).

OK, boot into Safe Mode. Go to Start->Run and type in command or cmd and hit OK. Then type in:

rmdir /q C:\_RESTORE\TEMP\*.*

Hit Enter and then type exit and hit Enter to close out. Next, I want you to disable system restore again.

Restart and boot into Windows as usual. Enable system restore now. Do a Panda scan. Post that log along with a new HijackThis log.
  • 0

#12
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Hi again, thanks for this - I thought I was missing something really obvious for a while!

I just tried to enter the command line you provided but got an error message:
Invalid switch - /Q
DOS prompt starts with this root - C:\WINDOWS\Desktop>
Since I didn't seem to achieve much with the command line I haven't rebooted with sytem restore disabled just yet. Should I do this anyway?

Many thanks
  • 0

#13
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
How about if you remove that /q switch?

That RESTORE folder is really a system hidden folder, but I was taking a chance there to see if you can clear your restore points through there.

If it's still not working, then yes, disable in safe mode. Restart and enable it again. Try Panda scan to see if they still show up.

If so, I'm thinking disable in safe mode, restart but don't enable restore (risky though). Run Panda and see if it finds anything, then enable system restore back.
  • 0

#14
dweebosh

dweebosh

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
OK, I tried the new command line in safe mode without the /q switch
(rmdir C:\_RESTORE\TEMP\*.*) but it didn't work: Invalid path or file name
Is there some other way to clear my restore points?

Also, I think I've spotted a problem. Every time I enable system restore (by unchecking the 'disable' box) then reboot, when I navigate back to the same menu - system restore is still disabled! (checked box). I have tried all possible combinations of rebooting from safe to normal mode and vice versa (unchecked box each time) but when I go back to the same menu, system restore is disabled again?! (checked box).

I'm have no idea what is going on or what to do next. Everything I do seems to throw up more problems! I'll run another panda scan ASAP and post back if anything has changed but I'm not optimistic :tazz: I don't think I've managed to change anything since my last scan.

Here's hoping that you have a better idea of what I'm doing wrong than I do!
Thanks
  • 0

#15
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I'm starting to hate this Operating System more and more each day now :tazz:

OK, go into your Folder Options setting (My Computer->Tools/View->Folder Options->View). Make sure that you have the option to see hidden files and folder and operating system files and folders. If it asks you if you are sure, say yes. You may revert them back to what they were when we are done with this, so make note of what you changed. Now go into your C: drive. Can you find a folder called _RESTORE? If so, open it up and go into the TEMP folder. Delete everything in that TEMP folder.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP