Profile Quota
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Profile Quota
I spent a long evening on Tuesday with a very dear but non-computer-literate friend, trying to fix her machine after a virus attack. She'd clicked on one of those "DHL Consignment - click here to rearrange delivery" jobs. Unknown to her, the children had turned off Zone Alarm and AVG because it got in the way of their games.
Anyway, removing the virus wasn't too hard. I had to run the XP Pro "repair/reinstall" routine to fix the damaged operating system stuff. That took an hour or so.
Then came the problem. The machine refused to shut down because her "Profile" was 94 megabytes against a system limit of 10240k. We can get round it by Ctrl-Alt-Del and killing proquota.exe before issuing the shutdown command, BUT...
It lists the files that are filling up the quota - right down to those of 1k or less. In total, they add to maybe 5 meg (after clearing out a vast deleted files folder in Firefox, an even vaster deleted files folder in File Explorer, and more antique tempfiles than I dreamed could exist). So the list shows 5 meg (ish), the limit is 10 meg (ish) and proquota thinks there are 94 meg.
I tried changing the profile limits in the Windows\Inf\ file (I forget the name) but the changes didn't "take".
Google has not heard of this problem (or I couldn't find it, anyway). Has anyone come across it, is it a sign that the virus is still lurking, or is there a damaged file somewhere that's confusing it?
She's (understandably) fed up with the whole business and suggested buying a new PC - because this one's running so slowly. I think the slowness thing is fixed (MSCONFIG and turn off the enormous list of stuff installed by the kids). My inclination - and hers - is to archive her "stuff", wipe the HD, and install Windows 7 etc. The children meanwhile all have their own laptops so don't need to use Mum's PC.
Anyway, removing the virus wasn't too hard. I had to run the XP Pro "repair/reinstall" routine to fix the damaged operating system stuff. That took an hour or so.
Then came the problem. The machine refused to shut down because her "Profile" was 94 megabytes against a system limit of 10240k. We can get round it by Ctrl-Alt-Del and killing proquota.exe before issuing the shutdown command, BUT...
It lists the files that are filling up the quota - right down to those of 1k or less. In total, they add to maybe 5 meg (after clearing out a vast deleted files folder in Firefox, an even vaster deleted files folder in File Explorer, and more antique tempfiles than I dreamed could exist). So the list shows 5 meg (ish), the limit is 10 meg (ish) and proquota thinks there are 94 meg.
I tried changing the profile limits in the Windows\Inf\ file (I forget the name) but the changes didn't "take".
Google has not heard of this problem (or I couldn't find it, anyway). Has anyone come across it, is it a sign that the virus is still lurking, or is there a damaged file somewhere that's confusing it?
She's (understandably) fed up with the whole business and suggested buying a new PC - because this one's running so slowly. I think the slowness thing is fixed (MSCONFIG and turn off the enormous list of stuff installed by the kids). My inclination - and hers - is to archive her "stuff", wipe the HD, and install Windows 7 etc. The children meanwhile all have their own laptops so don't need to use Mum's PC.
More bang for your buck
Join Date: Nov 2005
Location: land of the clanger
Age: 82
Posts: 3,512
Likes: 0
Received 0 Likes
on
0 Posts
My inclination - and hers - is to archive her "stuff", wipe the HD, and install Windows 7 etc. The children meanwhile all have their own laptops so don't need to use Mum's PC.
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I think that's PROB60 what we'll do.
I'm still curious about what's happened/happening in the machine to give those symptoms. I'd never seen the proquota warning till last night.
I'm still curious about what's happened/happening in the machine to give those symptoms. I'd never seen the proquota warning till last night.
Join Date: May 2001
Posts: 10,815
Likes: 0
Received 0 Likes
on
0 Posts
I have had similar issues but not quite the same.
It was down to a thing called tattooing, which normally gives you grief in a enterprise environment where someone has been fiddling with policy's and profiles in an old NT environment. The user logs in and drags all their local administrators bad habits over onto your network.
It gives no amount of grief when they do it and if you can find a way of reversing it your a better man than me. Spent a day comparing registry's of a before and after image and still couldn't strip it out. Bloody thing stays with the machine and contaminates anyone else that logs onto it.
It sounds like the virus has done some proper damage I would go with a wipe and install as well. I would also make sure that what ever you back your files up onto is formatted using FAT16 or FAT32 and not NTFS. Don't ask why because I don't have a clue for a technical reason just have had issues with "where they hell has it got that from again" which stripping it of all its NTFS extras has solved.
Standing by for your talking bollocks as usual.
You could try creating a new account and seeing if it has the same issues. Even if it doesn't my vote is still to go with a wipe and reinstall.
It was down to a thing called tattooing, which normally gives you grief in a enterprise environment where someone has been fiddling with policy's and profiles in an old NT environment. The user logs in and drags all their local administrators bad habits over onto your network.
It gives no amount of grief when they do it and if you can find a way of reversing it your a better man than me. Spent a day comparing registry's of a before and after image and still couldn't strip it out. Bloody thing stays with the machine and contaminates anyone else that logs onto it.
It sounds like the virus has done some proper damage I would go with a wipe and install as well. I would also make sure that what ever you back your files up onto is formatted using FAT16 or FAT32 and not NTFS. Don't ask why because I don't have a clue for a technical reason just have had issues with "where they hell has it got that from again" which stripping it of all its NTFS extras has solved.
Standing by for your talking bollocks as usual.
You could try creating a new account and seeing if it has the same issues. Even if it doesn't my vote is still to go with a wipe and reinstall.
Join Date: Jan 2006
Location: UK
Posts: 130
Likes: 0
Received 0 Likes
on
0 Posts
Hi Keef
It's unusual to see profie size limits on home PCs. The default is "no limit". My own profile is over 7GB!
Run gpedit.msc then navigate to User Configuration->Administrative Templates->System->User Profiles. Is there anything set under "Limit Profile Size"?
It's unusual to see profie size limits on home PCs. The default is "no limit". My own profile is over 7GB!
Run gpedit.msc then navigate to User Configuration->Administrative Templates->System->User Profiles. Is there anything set under "Limit Profile Size"?
Spoon PPRuNerist & Mad Inistrator
Interesting - for a non-computer-literate person to have enabled profile quotas!
It certainly isn't enabled by default in XP.
I would definitely suspect foul play, so a trash and burn followed by a clean install sounds like the best way forward.
SD
It certainly isn't enabled by default in XP.
Description: proquota.exe is located in the folder C:\Windows\System32. Known file sizes on Windows XP are 50,176 bytes (50% of all occurrence), 45,056 bytes, 45,568 bytes.
Important: Some malware camouflage themselves as proquota.exe, particularly if they are located in c:\windows or c:\windows\system32 folder.
Important: Some malware camouflage themselves as proquota.exe, particularly if they are located in c:\windows or c:\windows\system32 folder.
SD
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
As Simonta says, you normally need a group policy set for profile size to be considered, and that seems strange for this lady?
I think I heard once that the proquota.exe can be written to C:\Windows\System32zwbem by viruses.
I think I heard once that the proquota.exe can be written to C:\Windows\System32zwbem by viruses.
Hippopotomonstrosesquipidelian title
Join Date: Oct 2006
Location: is everything
Posts: 1,826
Likes: 0
Received 0 Likes
on
0 Posts
Keef, you might get slightly more targeted help if you'd mentioned the OS and the virus you believe you got rid of: this sounds like Spyware Protect.
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for the info - much appreciated.
I think it's coming round to the infection being still there, and in proquota.exe.
I did rename that file (while it wasn't running) to something else, and proquota.exe reappeared on the next boot-up. I've seen Windows do that before with other stuff, so wasn't unduly surprised.
I installed Avast, did a full update of that, and then left it doing a full check when I left her house last night. She's not e-mailed back to say what (if anything) was in the results of that, but she was embarrassed at having clicked on the virus e-mail, and that the children (aged between 19 and 30!) had turned off the protection on the machine.
I'll send her an e-mail to order Win 7 HP while I'm away, and I'll install it when I get back.
Understood on FAT32 for download/uploads. My portable USB 60GB drive is FAT32 anyway: it has to be, because I often use Knoppix to recover stuff from trashed PCs, and Microsoft won't allow Knoppix (or any Linux) to write NTFS format.
There must be a paying career for folks who go round mending PCs! I do lots of it, and am usually sent home with a bottle of good red wine.
I think it's coming round to the infection being still there, and in proquota.exe.
I did rename that file (while it wasn't running) to something else, and proquota.exe reappeared on the next boot-up. I've seen Windows do that before with other stuff, so wasn't unduly surprised.
I installed Avast, did a full update of that, and then left it doing a full check when I left her house last night. She's not e-mailed back to say what (if anything) was in the results of that, but she was embarrassed at having clicked on the virus e-mail, and that the children (aged between 19 and 30!) had turned off the protection on the machine.
I'll send her an e-mail to order Win 7 HP while I'm away, and I'll install it when I get back.
Understood on FAT32 for download/uploads. My portable USB 60GB drive is FAT32 anyway: it has to be, because I often use Knoppix to recover stuff from trashed PCs, and Microsoft won't allow Knoppix (or any Linux) to write NTFS format.
There must be a paying career for folks who go round mending PCs! I do lots of it, and am usually sent home with a bottle of good red wine.
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
The OS is Windows XP Professional. Not sure which virus it was: Googling beforehand suggested that the DHL "Your shipment" e-mail usually carries Bredolab trojan, but other options were also suggested.
AVG (when I turned it back on) said it had found file0.exe which it moved to the virus vault, and a rootkit trojan (not named).
I ran an XP install-fix which did a pretty thorough reinstall of a fair proportion of the operating system, and AVG and Avast didn't report anything untoward at startup - I removed AVG 8.5 and installed the latest Avast.
Join Date: Jun 2009
Location: Georgia
Posts: 169
Likes: 0
Received 0 Likes
on
0 Posts
I would also make sure that what ever you back your files up onto is formatted using FAT16 or FAT32 and not NTFS. Don't ask why because I don't have a clue for a technical reason just have had issues with "where they hell has it got that from again" which stripping it of all its NTFS extras has solved.
damn...
edit..
Alternate Data Streams..thats what it is!
Hippopotomonstrosesquipidelian title
Join Date: Oct 2006
Location: is everything
Posts: 1,826
Likes: 0
Received 0 Likes
on
0 Posts
Bredolab's a download agent: after installation, it downloads other payloads off tinternet. I think the machine's not clean yet. Have you tried Trend Micro's Housecall?
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
I've alerted Gillian to the fact that it's best to unplug the Internet lead from the machine and leave it till I get back to Essex. Then we'll wipe and reinstall (using my FAT32 external HD to store the "stuff" she needs to keep).
Join Date: May 2001
Posts: 10,815
Likes: 0
Received 0 Likes
on
0 Posts
Personally I reckon the children should get a clip round the ear and the suggestion that Dell have some good deals on either desktops or laptops at just about double the price of a copy of windows 7. Which you would get pre-installed anyway.
And at least you would know all the drivers would work.
And at least you would know all the drivers would work.
Join Date: Jan 2006
Location: UK
Posts: 130
Likes: 0
Received 0 Likes
on
0 Posts
Hi Keef
Ignore all the comments about NTFS. For several reasons, it is considerably less vulnerable than FAT to malware - in fact, FAT is to all intents and purposes completely insecure against nasties. Only true though if you don't log on with admin or power user rights . See my previous post. When using FAT, you are effectively running as admin all the time.
It's also higher performance, with no file size limits for practical purposes and is a lot more robust than FAT.
Do a little googling if you need more reassurance but trust me, format with NTFS, make sure you always update and log on as a lowly user to surf and you will be very unlucky to get something. In fact, only 2 ways to get past the "non admin user on a fully patched NTFS system" and that's to exploit a bug (security hole which has not yet had a patch released/applied) or social engineering tricking you into running something bad with elevated rights. The overwhelming majority of nastiness out there relies on users running on FAT, as admin on NTFS or unpatched systems.
I've said it before and I'll say it again. Give me a fully patched Windows system on NTFS with me logged in as a user and I'll challenge anyone to get past me....
On FAT, you are in the wild west....
Cheers
PS. The alternate data streams (ADS) on NTFS can be a problem but not commonly used by baddies and only effective if you are admin or power user. This link is useful:
Computer Forensics - Dissecting NTFS Hidden Streams
PPS. There are *nix drivers which will happily write to NTFS. Microsoft did not do anything to to prevent access to NTFS - they simply did not publish the NTFS designs - no bad thing in my book as it all adds to the security.
start [www.linux-ntfs.org]
http://www.ntfs-3g.org/
Ignore all the comments about NTFS. For several reasons, it is considerably less vulnerable than FAT to malware - in fact, FAT is to all intents and purposes completely insecure against nasties. Only true though if you don't log on with admin or power user rights . See my previous post. When using FAT, you are effectively running as admin all the time.
It's also higher performance, with no file size limits for practical purposes and is a lot more robust than FAT.
Do a little googling if you need more reassurance but trust me, format with NTFS, make sure you always update and log on as a lowly user to surf and you will be very unlucky to get something. In fact, only 2 ways to get past the "non admin user on a fully patched NTFS system" and that's to exploit a bug (security hole which has not yet had a patch released/applied) or social engineering tricking you into running something bad with elevated rights. The overwhelming majority of nastiness out there relies on users running on FAT, as admin on NTFS or unpatched systems.
I've said it before and I'll say it again. Give me a fully patched Windows system on NTFS with me logged in as a user and I'll challenge anyone to get past me....
On FAT, you are in the wild west....
Cheers
PS. The alternate data streams (ADS) on NTFS can be a problem but not commonly used by baddies and only effective if you are admin or power user. This link is useful:
Computer Forensics - Dissecting NTFS Hidden Streams
PPS. There are *nix drivers which will happily write to NTFS. Microsoft did not do anything to to prevent access to NTFS - they simply did not publish the NTFS designs - no bad thing in my book as it all adds to the security.
start [www.linux-ntfs.org]
http://www.ntfs-3g.org/
Last edited by Simonta; 12th Nov 2009 at 23:26.
Join Date: Jan 2008
Location: LONDON
Age: 51
Posts: 525
Likes: 0
Received 0 Likes
on
0 Posts
I did rename that file (while it wasn't running) to something else, and proquota.exe reappeared on the next boot-up. I've seen Windows do that before with other stuff, so wasn't unduly surprised.
When renaming, moving etc files from explorer if it is a registered application explorer will handily (read as pain in the ass) update the registry to reflect the changes you have made.
The way to prevent this is to drop to a CMD prompt and do it manually at which point any links with the registry are no longer preserved.
Official PPRuNe Chaplain
Thread Starter
Join Date: Apr 2001
Location: Witnesham, Suffolk
Age: 80
Posts: 3,498
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for those!
My USB drive is FAT - it has to be, because I also write to it from time to time with Knoppix for disk data recovery, and Knoppix isn't allowed to use NTFS. MS made them remove the capability. I will run the drive against Avast before we go further.
Yes, I changed the filename from proquota.exe to proquota.was under a CMD prompt while it was "shut down" - and it reappeared when I rebooted.
Gillian's son e-mailed me this evening to tell me her PC is seriously ill again, and that she's ordered Win 7.
The children are 28, 26, 24, and 19 and now all have their own laptops. This PC will have two users - Admin and Gillian.
My USB drive is FAT - it has to be, because I also write to it from time to time with Knoppix for disk data recovery, and Knoppix isn't allowed to use NTFS. MS made them remove the capability. I will run the drive against Avast before we go further.
Yes, I changed the filename from proquota.exe to proquota.was under a CMD prompt while it was "shut down" - and it reappeared when I rebooted.
Gillian's son e-mailed me this evening to tell me her PC is seriously ill again, and that she's ordered Win 7.
The children are 28, 26, 24, and 19 and now all have their own laptops. This PC will have two users - Admin and Gillian.
Join Date: May 2001
Posts: 10,815
Likes: 0
Received 0 Likes
on
0 Posts
For a built stable machine I am sure NTFS is a wonderful addition to the security if the owner of said machine operates as per the dictates that microsoft want. Which I suspect only ever happens in an administrated network. And almost never in the home environment.
We are talking about cleaning a diseased box of tricks. Which I suspect has been operated in power user mode if not admin on the main user account. It would explain the turning off of the anti virus and also installing games. Which I suspect the issue was with some crap updater for the game getting flagged as malware.
By transferring onto FAT32 then putting back onto NTFS if you so wish you strip all the extras of NTFS, all the ownership problems are gone. It is just a tool to get a job done of restoring a machine.
I must admit thankfully I have only ever worked with networks using Samba to link through onto the unix file servers. Now if you want true security and performance that's the way to go.
We are talking about cleaning a diseased box of tricks. Which I suspect has been operated in power user mode if not admin on the main user account. It would explain the turning off of the anti virus and also installing games. Which I suspect the issue was with some crap updater for the game getting flagged as malware.
By transferring onto FAT32 then putting back onto NTFS if you so wish you strip all the extras of NTFS, all the ownership problems are gone. It is just a tool to get a job done of restoring a machine.
I must admit thankfully I have only ever worked with networks using Samba to link through onto the unix file servers. Now if you want true security and performance that's the way to go.
Join Date: Jan 2006
Location: UK
Posts: 130
Likes: 0
Received 0 Likes
on
0 Posts
Excuse me mad jock, total tosh. When you convert a volume to NTFS, you get exactly the same file system as you would with a fresh format - the only difference is, it's a populated, converted volume rather than a fresh MFT and boot record. What "extras" do you refer to?
Also tosh about "the way Microsoft want you to use it". Every PC is a domain member. If you are using NT, 2000, XP, Vista or Windows 7, it is a member of at least one domain - itself. A standalone PC has a domain SID generated during Windows installation.
By "removing the ownership problems" you are removing security - inviting trouble usually followed by some crass comment about Microsoft rather than admission of shooting oneself in the foot. By perpetuating this kind of misinformation, you do everyone a disservice.
Keef, Microsoft didn't make anybody take something out. As I said in my last post, the only reason Knoppix (or anyone else) could not write to NTFS was because MS didn't publish the interfaces. Even that info is out of date though as there are several *nix drivers which will happily write NTFS including on Knoppix. I use NTFS-3G on Ubuntu to write to my Windows 7 box and it works a treat. I believe that it also supports Knoppix but if not, there are plenty of distros out there that do.
Back to the point though, I agree with others that without deep technical knowledge, a rebuild is probably the safest way to go. If you are experienced with Hijackthis, rootkit revealers, Sysinternals and Jsware Stream Viewer, then you will probably recover the machine. If any of these things mean nothing to you, then you risk leaving enough badness behind to compromise the machine again.
PS. Did I mention that you should wean your friend of the admin habit?
It isn't difficult, Linux and Mac folks do it without thinking about it.
Good luck....
- ACLS? Nope, present on both converted and formatted drives.
- Sym links? Nope, present on both converted and formatted drives.
- ADS? Nope, present on both converted and formatted drives.
- File journaling, mount points, dynamic volumes or checkpoints? Nope, present on both converted and formatted drives.
Also tosh about "the way Microsoft want you to use it". Every PC is a domain member. If you are using NT, 2000, XP, Vista or Windows 7, it is a member of at least one domain - itself. A standalone PC has a domain SID generated during Windows installation.
By "removing the ownership problems" you are removing security - inviting trouble usually followed by some crass comment about Microsoft rather than admission of shooting oneself in the foot. By perpetuating this kind of misinformation, you do everyone a disservice.
Keef, Microsoft didn't make anybody take something out. As I said in my last post, the only reason Knoppix (or anyone else) could not write to NTFS was because MS didn't publish the interfaces. Even that info is out of date though as there are several *nix drivers which will happily write NTFS including on Knoppix. I use NTFS-3G on Ubuntu to write to my Windows 7 box and it works a treat. I believe that it also supports Knoppix but if not, there are plenty of distros out there that do.
Back to the point though, I agree with others that without deep technical knowledge, a rebuild is probably the safest way to go. If you are experienced with Hijackthis, rootkit revealers, Sysinternals and Jsware Stream Viewer, then you will probably recover the machine. If any of these things mean nothing to you, then you risk leaving enough badness behind to compromise the machine again.
PS. Did I mention that you should wean your friend of the admin habit?
It isn't difficult, Linux and Mac folks do it without thinking about it.
Good luck....