I spent a long evening on Tuesday with a very dear but non-computer-literate friend, trying to fix her machine after a virus attack. She'd clicked on one of those "DHL Consignment - click here to rearrange delivery" jobs. Unknown to her, the children had turned off Zone Alarm and AVG because it got in the way of their games.

Anyway, removing the virus wasn't too hard. I had to run the XP Pro "repair/reinstall" routine to fix the damaged operating system stuff. That took an hour or so.

Then came the problem. The machine refused to shut down because her "Profile" was 94 megabytes against a system limit of 10240k. We can get round it by Ctrl-Alt-Del and killing proquota.exe before issuing the shutdown command, BUT...

It lists the files that are filling up the quota - right down to those of 1k or less. In total, they add to maybe 5 meg (after clearing out a vast deleted files folder in Firefox, an even vaster deleted files folder in File Explorer, and more antique tempfiles than I dreamed could exist). So the list shows 5 meg (ish), the limit is 10 meg (ish) and proquota thinks there are 94 meg.

I tried changing the profile limits in the Windows\Inf\ file (I forget the name) but the changes didn't "take".

Google has not heard of this problem (or I couldn't find it, anyway). Has anyone come across it, is it a sign that the virus is still lurking, or is there a damaged file somewhere that's confusing it?

She's (understandably) fed up with the whole business and suggested buying a new PC - because this one's running so slowly. I think the slowness thing is fixed (MSCONFIG and turn off the enormous list of stuff installed by the kids). My inclination - and hers - is to archive her "stuff", wipe the HD, and install Windows 7 etc. The children meanwhile all have their own laptops so don't need to use Mum's PC.

My inclination - and hers - is to archive her "stuff", wipe the HD, and install Windows 7 etc. The children meanwhile all have their own laptops so don't need to use Mum's PC.


Probably the easiest thing to do. Gets rid of most of the crap, just copy the book marks backups etc to a memory stick or something.

I think that's PROB60 what we'll do.

I'm still curious about what's happened/happening in the machine to give those symptoms. I'd never seen the proquota warning till last night.

I have had similar issues but not quite the same.

It was down to a thing called tattooing, which normally gives you grief in a enterprise environment where someone has been fiddling with policy's and profiles in an old NT environment. The user logs in and drags all their local administrators bad habits over onto your network.

It gives no amount of grief when they do it and if you can find a way of reversing it your a better man than me. Spent a day comparing registry's of a before and after image and still couldn't strip it out. Bloody thing stays with the machine and contaminates anyone else that logs onto it.

It sounds like the virus has done some proper damage I would go with a wipe and install as well. I would also make sure that what ever you back your files up onto is formatted using FAT16 or FAT32 and not NTFS. Don't ask why because I don't have a clue for a technical reason just have had issues with "where they hell has it got that from again" which stripping it of all its NTFS extras has solved.

Standing by for your talking bollocks as usual.

You could try creating a new account and seeing if it has the same issues. Even if it doesn't my vote is still to go with a wipe and reinstall.

Hi Keef

It's unusual to see profie size limits on home PCs. The default is "no limit". My own profile is over 7GB!

Run gpedit.msc then navigate to User Configuration->Administrative Templates->System->User Profiles. Is there anything set under "Limit Profile Size"?

Interesting - for a non-computer-literate person to have enabled profile quotas!

It certainly isn't enabled by default in XP.

Description: proquota.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 50,176 bytes (50% of all occurrence), 45,056 bytes, 45,568 bytes.

Important: Some malware camouflage themselves as proquota.exe, particularly if they are located in c:\windows or c:\windows\system32 folder.

I would definitely suspect foul play, so a trash and burn followed by a clean install sounds like the best way forward.



SD

As Simonta says, you normally need a group policy set for profile size to be considered, and that seems strange for this lady?

I think I heard once that the proquota.exe can be written to C:\Windows\System32zwbem by viruses.

Keef, you might get slightly more targeted help if you'd mentioned the OS and the virus you believe you got rid of: this sounds like Spyware Protect.

Thanks for the info - much appreciated.

I think it's coming round to the infection being still there, and in proquota.exe.
I did rename that file (while it wasn't running) to something else, and proquota.exe reappeared on the next boot-up. I've seen Windows do that before with other stuff, so wasn't unduly surprised.

I installed Avast, did a full update of that, and then left it doing a full check when I left her house last night. She's not e-mailed back to say what (if anything) was in the results of that, but she was embarrassed at having clicked on the virus e-mail, and that the children (aged between 19 and 30!) had turned off the protection on the machine.

I'll send her an e-mail to order Win 7 HP while I'm away, and I'll install it when I get back.

Understood on FAT32 for download/uploads. My portable USB 60GB drive is FAT32 anyway: it has to be, because I often use Knoppix to recover stuff from trashed PCs, and Microsoft won't allow Knoppix (or any Linux) to write NTFS format.

There must be a paying career for folks who go round mending PCs! I do lots of it, and am usually sent home with a bottle of good red wine.

Keef, you might get slightly more targeted help if you'd mentioned the OS and the virus you believe you got rid of: this sounds like Spyware Protect.

True!

The OS is Windows XP Professional. Not sure which virus it was: Googling beforehand suggested that the DHL "Your shipment" e-mail usually carries Bredolab trojan, but other options were also suggested.

AVG (when I turned it back on) said it had found file0.exe which it moved to the virus vault, and a rootkit trojan (not named).

I ran an XP install-fix which did a pretty thorough reinstall of a fair proportion of the operating system, and AVG and Avast didn't report anything untoward at startup - I removed AVG 8.5 and installed the latest Avast.

I would also make sure that what ever you back your files up onto is formatted using FAT16 or FAT32 and not NTFS. Don't ask why because I don't have a clue for a technical reason just have had issues with "where they hell has it got that from again" which stripping it of all its NTFS extras has solved.

There is a 'secondary data channel' on NTFS...shhhhttttt.. I dont remember what it was, I used to play with it, but you could add all kinds of additional metadata (virus stuff) and it would be there, unseen, ready to be picked up...
damn...


edit..
Alternate Data Streams..thats what it is!

Bredolab's a download agent: after installation, it downloads other payloads off tinternet. I think the machine's not clean yet. Have you tried Trend Micro's Housecall?

With reference to 'my' virus thread, Panda Cloud and Norman 2009 are worth running too. Have you looked in \wbem?

I've alerted Gillian to the fact that it's best to unplug the Internet lead from the machine and leave it till I get back to Essex. Then we'll wipe and reinstall (using my FAT32 external HD to store the "stuff" she needs to keep).

Personally I reckon the children should get a clip round the ear and the suggestion that Dell have some good deals on either desktops or laptops at just about double the price of a copy of windows 7. Which you would get pre-installed anyway.

And at least you would know all the drivers would work.

Hi Keef

Ignore all the comments about NTFS. For several reasons, it is considerably less vulnerable than FAT to malware - in fact, FAT is to all intents and purposes completely insecure against nasties. Only true though if you don't log on with admin or power user rights :=. See my previous post. When using FAT, you are effectively running as admin all the time.

It's also higher performance, with no file size limits for practical purposes and is a lot more robust than FAT.

Do a little googling if you need more reassurance but trust me, format with NTFS, make sure you always update and log on as a lowly user to surf and you will be very unlucky to get something. In fact, only 2 ways to get past the "non admin user on a fully patched NTFS system" and that's to exploit a bug (security hole which has not yet had a patch released/applied) or social engineering tricking you into running something bad with elevated rights. The overwhelming majority of nastiness out there relies on users running on FAT, as admin on NTFS or unpatched systems.

I've said it before and I'll say it again. Give me a fully patched Windows system on NTFS with me logged in as a user and I'll challenge anyone to get past me....

On FAT, you are in the wild west....

Cheers

PS. The alternate data streams (ADS) on NTFS can be a problem but not commonly used by baddies and only effective if you are admin or power user. This link is useful:

Computer Forensics - Dissecting NTFS Hidden Streams (http://www.forensicfocus.com/dissecting-ntfs-hidden-streams)

PPS. There are *nix drivers which will happily write to NTFS. Microsoft did not do anything to to prevent access to NTFS - they simply did not publish the NTFS designs - no bad thing in my book as it all adds to the security.

start [www.linux-ntfs.org] (http://www.linux-ntfs.org/doku.php)
http://www.ntfs-3g.org/

I did rename that file (while it wasn't running) to something else, and proquota.exe reappeared on the next boot-up. I've seen Windows do that before with other stuff, so wasn't unduly surprised.



Not sure how you renamed the file but you may want to be aware of the following....

When renaming, moving etc files from explorer if it is a registered application explorer will handily (read as pain in the ass) update the registry to reflect the changes you have made.

The way to prevent this is to drop to a CMD prompt and do it manually at which point any links with the registry are no longer preserved.

Thanks for those!

My USB drive is FAT - it has to be, because I also write to it from time to time with Knoppix for disk data recovery, and Knoppix isn't allowed to use NTFS. MS made them remove the capability. I will run the drive against Avast before we go further.

Yes, I changed the filename from proquota.exe to proquota.was under a CMD prompt while it was "shut down" - and it reappeared when I rebooted.

Gillian's son e-mailed me this evening to tell me her PC is seriously ill again, and that she's ordered Win 7.

The children are 28, 26, 24, and 19 and now all have their own laptops. This PC will have two users - Admin and Gillian.

For a built stable machine I am sure NTFS is a wonderful addition to the security if the owner of said machine operates as per the dictates that microsoft want. Which I suspect only ever happens in an administrated network. And almost never in the home environment.

We are talking about cleaning a diseased box of tricks. Which I suspect has been operated in power user mode if not admin on the main user account. It would explain the turning off of the anti virus and also installing games. Which I suspect the issue was with some crap updater for the game getting flagged as malware.

By transferring onto FAT32 then putting back onto NTFS if you so wish you strip all the extras of NTFS, all the ownership problems are gone. It is just a tool to get a job done of restoring a machine.

I must admit thankfully I have only ever worked with networks using Samba to link through onto the unix file servers. Now if you want true security and performance that's the way to go.

Excuse me mad jock, total tosh. When you convert a volume to NTFS, you get exactly the same file system as you would with a fresh format - the only difference is, it's a populated, converted volume rather than a fresh MFT and boot record. What "extras" do you refer to?

ACLS? Nope, present on both converted and formatted drives.
Sym links? Nope, present on both converted and formatted drives.
ADS? Nope, present on both converted and formatted drives.
File journaling, mount points, dynamic volumes or checkpoints? Nope, present on both converted and formatted drives.The whole point of the "extras" is that it's secure. Indeed, as secure as Samba - demonstrably. I'm not aware, nor can I find a reference to, a single documented security hole in NTFS since NT4. NTFS is exactly as secure in either scenario - standalone or a member of a networked domain, the local ACLs ensure this. Lose the password to an NTFS volume and the only thing which will get your data off is low level physical access unless the data is also encypted - exactly the same as Samba, EFS - even MVS.

Also tosh about "the way Microsoft want you to use it". Every PC is a domain member. If you are using NT, 2000, XP, Vista or Windows 7, it is a member of at least one domain - itself. A standalone PC has a domain SID generated during Windows installation.

By "removing the ownership problems" you are removing security - inviting trouble usually followed by some crass comment about Microsoft rather than admission of shooting oneself in the foot. By perpetuating this kind of misinformation, you do everyone a disservice.

Keef, Microsoft didn't make anybody take something out. As I said in my last post, the only reason Knoppix (or anyone else) could not write to NTFS was because MS didn't publish the interfaces. Even that info is out of date though as there are several *nix drivers which will happily write NTFS including on Knoppix. I use NTFS-3G on Ubuntu to write to my Windows 7 box and it works a treat. I believe that it also supports Knoppix but if not, there are plenty of distros out there that do.

Back to the point though, I agree with others that without deep technical knowledge, a rebuild is probably the safest way to go. If you are experienced with Hijackthis, rootkit revealers, Sysinternals and Jsware Stream Viewer, then you will probably recover the machine. If any of these things mean nothing to you, then you risk leaving enough badness behind to compromise the machine again.

PS. Did I mention that you should wean your friend of the admin habit?
It isn't difficult, Linux and Mac folks do it without thinking about it.

:ok:

Good luck....

Simonta,

Back off a bit there, please. You are getting hold of the wrong end of the stick and flaming people unnecessarily. And making rather an ass of yourself.

MJ has said - quite correctly - that migrating data from an NTFS volume to a FAT volume will remove any ADS nasties lurking within before re-installing the data to a new or rebuilt computer.

You seem to believe that he is advocating running permanently with FAT / FAT32. He isn't, no-one is. Yes, you are right, NTFS is much the best way to go for Windows - no-one is disagreeing with you - which is why we don't need it rammed down our throats quite so hard!

SD

Microsoft didn't make anybody take something out. As I said in my last post, the only reason Knoppix (or anyone else) could not write to NTFS was because MS didn't publish the interfaces.

Things may have changed, but NTFS support was in the early versions of Knoppix that I used. It worked well in 2005 or thenabouts, when I helped a friend recover something like 50,000 photographs off his XP Pro machine.

The next time we tried, the latest Knoppix refused to write to the same external device. Google revealed this Legal issues most likely. NTFS is still 100% property of Microsoft. A similar issue prevented Klaus from including nF2 drivers in Knoppix awhile back IIRC. If you wanted them, you had to do a remaster to include them.

May all be tosh, of course. Anyway, the last Knoppix I tried wouldn't write to NTFS but was happy with FAT etc. So the external drive, used probably three or four times a year with Knoppix, is FAT32. No problems, no need to change it. Once the job's done, I reformat it to remove the stuff ready fo next time.

Yes, she had set all the family members as Admins. When I do Win 7, I'll set her as a normal user and an Admin account for when needed.

But that's the point you are not converting. You are taking suspect data and transferring it. NTFS has metadata attached which malware can and does use if your security has been compromised.

And in this case security most definitely has been compromised.

Samba is not a filesystem it is an application which allows MS clients access to UNIX system resources. Its the well proven UNIX security which does the work not samba. The fact that NTFS was designed by the open VMS chap to incorporate the security of the well proven UNIX method is fact. The fact that Microsoft decided to add features to it which allowed the security to be compromised is also fact.

It is also fact as well that given the option large% of home users will not follow best practise, will not have that 3rd sense in the back of there heads to tell them not to click on "ok". Even if the browser asks them "are you sure you want navigate away from this page" they will click "OK" where as you and I will kill the process.

Its not a fundamental problem with NTFS it is a problem that most computer users don't have a bloody clue what they are doing. Which as admin's we used to lock down, turn off numerous features to protect our systems.

Exactly so, MJ.

And most home users - non-techie gurus the lot of 'em - will just go with the flow on the basis they don't understand any of this stuff. Believe me, clergymen are the worst. Most of my "unscrambling" of PCs is for these fine, caring gentlemen.

I do try to explain why and what, but eyes glaze over quickly. So I set things up as best I can and tell them not to click on anything that says thus, or any e-mail from someone you don't know, and so on. They usually do so within three months.

So it's Firefox with NoScript etc, Zone Alarm, Avast, Adblock+ and so on and so on, and rely on those to look after them.

Gillian's is a different case but in the same mould. She got an e-mail about a DHL parcel and was expecting one. But the e-mail wasn't about HER parcel, and the payload was toxic.

Also tosh about "the way Microsoft want you to use it". Every PC is a domain member. If you are using NT, 2000, XP, Vista or Windows 7, it is a member of at least one domain - itself. A standalone PC has a domain SID generated during Windows installation.

I'm afraid it's you that is spouting tosh there, Simonta.

MS define a Domain as having at least one Domain Controller (i.e. share a central directory database). The only time a single computer can be a member of a domain is when it is itself a DC.

Windows Computers standalone or networked without a DC are in a Workgroup.

Indeed, many versions of Windows CANNOT ever join a domain - WinXP Home, all Home versions of Vista and the same for Win7.

Finally, just because a SID is used doesn't make it a "Domain SID". All windows PCs use SIDs, whether they are in a Workgroup (with only one PC or several) or in a Domain.

SD

It's so easy to forget that most of the people who use PCs just use them as a tool - whether it's corresponding with friends in Oz or writing wise words for the Parish Magazine or collating their stamp collection. Small wonder that their eyes glaze over when we start talking about Administrator privileges or FAT32 or even disabled virus updates.

I'm out in a few mins (on me day off, of course) to sort such a person - or rather her computer; V. is beyond sorting - because she has a friend who knows about computers... i.e. he took a City and Guilds in about 1956 or something. When I get into trouble, it's because I think I know best, or have a senior moment, and there's no cure for either of those.

If you are doing it that often have you had a play with a mirror application.

Build the machine up, install all the applications. Do all the good stuff putting the data on a separate partitions and getting user accounts setup, pointing all the applications to this partition

Then mirror the whole lot. If they do then kill the machine USB pen boot into linux, backup data partition onto your USB drive.

Blow the image back onto the machine. Restore the data and you should be good for another 3 months.

Just keep all the mirrors on either DVD's or on a separate drive.

If they want to install some software blow the image back on again so its a clean install the software take another image and restore the data if required.

First time you do it it will take maybe a couple of hours to set up but after that you should be able to reset to clean in under 30mins (data backup/restore time excluded)

I tried that a couple of times, MJ. Then came the plaintive plea "Where's the e-mail with all the bookings details of my holiday and the print-your-tickets?"

I'm resigned to it being a two to three hour job most times - and to needing to use Knoppix and my FAT32 external drive on about one in ten. I use the Windows Installer Repairer on about one in three - and that does a fair job.

Gillian's is the first in a long time that's been so bad it's come down to wipe-and-reinstall the lot. But we get rid of six accounts (all admins) and leave her with two - hers and Admin. And she goes from XP Pro to Win 7.

Jimtherev - you seem to have the same "client base" I do. Mine's Diocese of Chelmsford, Southend area.

Aye that's why you have to put in a bit of work making sure the applications all point towards the data partition.

Most folk forget to shift the profile storage to the data partition as well, which causes the problems with that awful disease spreading email client outlook.

That's another nasty habit people get, dumping everything on the desktop and then wondering why the machine is so slow.

Microsoft did nothing to 3rd party vendors about NTFS, they just tightened further the security surrounding it and added extra functionality - the problem being that Knoppix et al didn't put in the legwork to fix their connectors to NTFS. It's happened twice before in my memory.

Incidentally, NTFS (as part of Windows NT etc) gained, and still has, US military C2 security clearance.

Keef: 'Jimtherev - you seem to have the same "client base" I do. Mine's Diocese of Chelmsford, Southend area.'
Mine's Norf London non-conformist - much smaller than yours, by the sound of it... but persistent and determined to make the same mistake more than once. Got to admire that.
And resourceful, too. I've never before yesterday met anyone who could trash a motherboard by installing a modem. Still don't understand that one. to be continued, I expect...

Jim try pulling the BIOS battery and letting it sit unplugged for 10 mins then installing it again.

Reboot and see if it is still fried.

This is of course presuming there isn't evidence of burnt circuity.

I suspect they have tried to install it with the power on and in sleep mode ;)

You might have to reblow the BIOS if the battery trick doesn't work.

Thanks, MJ. I'll certainly try that when Mrs JTR is elsewhere: she's getting a bit tetchy just now about all the hardware about. And this certainly ain't the weather for the workshop. (Read garden shed.)

M_J. My unreserved apologies. Saab Dastard is right. I did get the wrong end of the stick. I read your posts as suggesting that taking data to FAT and back to NTFS would somehow stop NTFS using meta data and ACLS. I was wrong and was also in a foul mood (the worst excuse ever) when I posted.

I should have used my own advice which I often give to others. If you are writing any electronic document which is anything other than devoid of emotion and could be construed as a flame or similar, draft it then take a look at it the next day. Then decide whether to post/send.

My sincere apologies again. Regards

Simon

not a problem.

Simonta,

Respect to you sir (or madam :O) - that's a handsomely worded post! :ok:

SD

Well, the sequel - for those who like dramas :(

Knoppix read Gillian's hard drive, and copied off her "stuff" to the external FAT drive. Or so we thought - the messages on screen were right. I plugged the drive into my laptop and told Avast to check it, and off it went.

I then wiped her hard drive and set Win 7 to installing. When that was done, I installed Avast, Firefox, Thunderbird, and MS Office. Then plugged in the external drive ... and her stuff wasn't on it. Whether it failed to copy (likely), or was so infected that Avast zapped the lot (less likely) we shall never know.

And then, of course, her Win 7 Home Premium Upgrade edition wouldn't "validate" online because it wasn't installed on top of a previously licenced copy. I phoned the MS activation line and got a charming Indian call centre person who told me I would have to wipe the lot, reinstall XP Pro, then install Win 7 over that. We didn't, and aren't going to. Next time she and I are in the same county we will phone MS and hopefully get the UK helpdesk who will give us the validation code to enter.
Or I may just use the registry tweak I've been sent.

There followed an "interesting" hour or two recovering stuff from various places. We recreated most of her e-mail address book from the past two weeks' incoming mail on her server, plus my address book (we share many friends).

Next session will be about an external backup hard drive (or maybe a memory stick).

She now knows never to open an e-mail with an attachment, and not to turn off Avast.

The good news is that the machine is dramatically faster than it was before the procedure.