1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

disable system restore

Discussion in 'All Other Software' started by lilaco, Nov 30, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    am having a problem whereby every night i download end of day stock quotes which is about 350kb and after finishing the download, i loseabout 100MB. need a solution.
    am told that the problem is that somehow my computer does not recognize the tick mark in disable system restore. i get to file system, trouble shooting, UNCHECK disable system restore..hit apply...close...restart computer. when i go back there is a checkmark next to disable system restore.
    i can send the computer back to the mfr. and i think they're just going to do a quick restore back to original mfr. software & i have tons of added on software that i want to try avoiding re-installing.
    am using m.e.
    do you think that the above is my problem or is it something else???

    HELP!!!!!!!!

    herb
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Hiya

    First off, why disable System Restore? If you ever have a problem, you won't be able to revert back to your original setup.
    What OS are you using and what is the site that you download from?

    Just curious, but who told you about the system restore bit? Not Dell, was it?

    Also, this 100MB that you lose each time. Thats a lot, if you're downloading only ~400k

    Have you done a virus scan, just to be sure?

    http://housecall.antivirus.com/housecall/start_corp.asp

    Regards

    eddie
     
  3. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    eddie, we were not trying to disable system restore but rather to see if system restore was functioning. because the unchecking of disable system restore was not holding after we hit apply and restarted the computer, it seems that the computer is not recognizing the command and something is wrong with system restore.
    STRANGE THINGS ARE HAPPENING!!!!! i went on the housecall site, downloaded, and before even doing the scan, c: drive went from 3.55gb to 4.27gb. however, after doing my usual 400kb download, i was back to 4.21gb. after a few days i am now at 3.95. still better than 3.57 but not the answer.
    did the virus scan......nothing came up in the white virus scan box of the program but i did get a white message with the following:-
    c:\unzipped\passkeeper\pass32.exe is win.32 hybris.b worm. not restored. this message was preceded with "vet resident protection version 10.2.9.0. Because it did not appear in the white virus scan box i wa unable to clean it. how do i get rid of it??? do you think this is causing my problem???
    i have a compaq presario 1200us laptop using windows me.


    herb
     
  4. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
  5. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.54) - Release Date 12/12/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Gator"="\"C:\\Program Files\\Gator.com\\Gator\\Gator.exe\""
    "CPQEASYACC"="C:\\Program Files\\Compaq\\Easy Access Button Support\\StartEAK.exe"
    "PCHealth"="C:\\WINDOWS\\PCHealth\\Support\\PCHSchd.exe -s"
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "Vet Alert"="C:\\WINDOWS\\System\\VetMsg9x.exe"
    "VetTray"="C:\\PROGRA~1\\INOCUL~1\\VETTRAY.EXE"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
    "NoChange"="1"
    "Installed"="1"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
    "Installed"="1"


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]


    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "QRIA"=dword:00000000


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "*StateMgr"="C:\\WINDOWS\\System\\Restore\\StateMgr.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=

    noload=C:\OPLIMIT\ocraware.exe

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS;C:\WINDOWS\COMMAND;c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP
    SET CLASSPATH=.;c:\COREL\OFFICE7\SHARED\BARISTA;c:\COREL\OFFICE7\SHARED\TRUEDOC
    SET LD_LIBRARY_PATH=c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -=========================-
    HKU (.Default) Run - Registry
    -=========================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run]


    -==============================-
    HKU (.Default) RunOnce - Registry
    -==============================-


    [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "QRIA"=dword:00000000


    -================================-
    StubPaths - Registry (Partial Listing)
    -================================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
    "StubPath"=""
    "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:IE50 /user /install"
    "StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
    "StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"

    -=================-
    WINSTART.BAT File - (c:\windows\winstart.bat)
    -=================-

    @C:\WINDOWS\tmpcpyis.bat

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    @echo off

    REM Notes:
    REM DOSSTART.BAT is run whenenver you choose "Restart the computer
    REM in MS-DOS mode" from the Shutdown menu in Windows. It allows
    REM you to load programs that you might not want loaded in Windows,
    REM (because they have functional equivalents) but that you do
    REM want loaded under MS-DOS. The two primary candidates for
    REM this are MSCDEX and a real mode driver for the mouse you ship
    REM with your system. Commands that you want present in both Windows
    REM and MS-DOS should be placed in the Autoexec.bat in the
    REM \Image directory of your reference server. Please note that for
    REM MSCDEX you will need to load the corresponding real-mode CD
    REM driver in Config.sys. This driver won't be used by Windows 98
    REM but will be available prior to and after Windows 98 exits.
    REM
    REM This file is also helpful if you want to F8 boot into MS-DOS 7.0
    REM before Windows loads and access the CD-ROM. All you have to do
    REM is press F8 and then run DOSSTART to load MSCDEX and your real
    REM mode mouse driver (no need to remember the command line parameters
    REM for these two files.
    REM
    REM - You MUST explicitly specify the CD ROM Drive Letter for MSCDEX.
    REM - The string following the /D: statement must explicitly match
    REM the string in CONFIG.SYS following your CD-ROM device driver.

    REM MSCDEX.EXE /D:OEMCD001 /l:d
    REM MOUSE.EXE


    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-

    SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\CURVES~1.SCR

    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    COMSPEC=C:\WINDOWS\COMMAND.COM
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;C:\WINDOWS;C:\WINDOWS\COMMAND;c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN
    TEMP=C:\WINDOWS\TEMP
    TMP=C:\WINDOWS\TEMP
    CLASSPATH=.;c:\COREL\OFFICE7\SHARED\BARISTA;c:\COREL\OFFICE7\SHARED\TRUEDOC
    LD_LIBRARY_PATH=c:\COREL\OFFICE7\SHARED\TRUEDOC\BIN
    winbootdir=C:\WINDOWS
    windir=C:\WINDOWS

    File - c:\windows\deletefi.ini

    ==========================================================================
    __________________________________________________________________________

    - End -
     
  6. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    eddie, my anti-virus program is inoculateIT.


    herb
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Hiya

    Looking quickly through it, I see you have Gator. Thats spyware, though it shouldn't be causing this problem. Go here and download AddAware www.lavasoftusa.com
    Install and run it, ensuring that deep Registry scan is enabled. Remove all except any references to Web3000 or new.net.

    Also download Refupdate from the same place and run it, to get the latest engine.

    Now, the list:

    I'm curious about this:

    I'll get confirmation on that.

    Apart from that, I can't see anything.

    eddie
     
  8. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Okay, you may have it. According to Symantec's site, it says this:

    Now, we have

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\RunOnce
    "QRIA"=dword:00000000

    So, that could be it.

    Okay, lets asume it is, that way we can be safe. Have you got the latest definitions for your AV? If not, get them.

    Let me know when you're ready.

    eddie
     
  9. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    eddie, stupid question.......what is AV ?????



    herb
     
  10. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Sorry, shorthand :p

    AV is antivirus, inoculateIT

    eddie
     
  11. lilaco

    lilaco Thread Starter

    Joined:
    Jan 30, 2001
    Messages:
    865
    eddie, here's what i get....what do you want me to do next

    Scan initialized on 12/3/2001 8:50:44 PM.
    (AAW release 5.62, referencefile 087-22.09.2001)
    =================================================


    Started extended registry scan
    ===============================
    Cydoor key:HKEY_USERS\.default\software\cydoor\
    Gator key:HKEY_CLASSES_ROOT\clsid\{21ffb6c0-0da1-11d5-a9d5-00500413153c}\
    Gator key:HKEY_LOCAL_MACHINE\software\classes\getandrun.dfrun\
    Gator key:HKEY_LOCAL_MACHINE\software\classes\getandrun.dfrun.1\
    Cydoor key:HKEY_CURRENT_USER\software\cydoor\
    Cydoor key:HKEY_LOCAL_MACHINE\software\cydoor\
    Gator key:HKEY_LOCAL_MACHINE\software\gator.com\
    Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/iegator.dll\
    Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\gator\
    Other key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\uninstall\offers\
    Web3000 key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgef
    Web3000 key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\stashedgmg
    Gator key:HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\gator
    Gator key:Software\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\IEGator.dll
    Gator key:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\moduleusage\C:/WINDOWS/Downloaded Program Files/IEGator.dll
    Gator key:CLSID\{c1fb8842-5281-45ce-a271-8fd5f117ba5f}


    Registry scan result:
    Suspicious keys found :16



    Scanning finished
    ==================
    Suspicious modules found:0
    Suspicious keys found :16
    Suspicious folders found:0
    Suspicious files found:0
    =========================
    Spyware components ignored:0
    Total spyware components found:16
     
  12. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Okay

    You can remove all of them, but my main concern is this virus that you may have. Have you ran your Antivirus program yet?

    eddie
     
  13. TonyKlein

    TonyKlein Malware Specialist

    Joined:
    Aug 26, 2001
    Messages:
    10,392
    It means Antivirus... ;)

    About this entry in RunOnce, it isn't an executive.

    According to F.Secure you should see something like Ccmboifm.Exe, Lphbngae.Exe, or Lfpcmoif.Exe
    That could actually do something.

    This is a DWORD value set at 00000000 which means that, at the moment in any case, it just sits there and does nothing.

    What it's from I don't know. Maybe something you've just installed/removed?

    Grtz.
     
  14. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    35,977
    Hiya Tony

    Thanks for claryfying this. I was a bit worried, but not, if you know what I mean.

    eddie
     
  15. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Are you clicking "ok" after "apply". Or even just "ok" after the change?

    Correct me if I'm wrong on this guys, but I don't think the "apply" tab alone surviives a reboot. For that you have to click "ok".
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60208

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice