TechSpot

Services.msc settings won't hold / sound issues

By kenobi575
Mar 14, 2009
  1. Hello,

    I recently cleared something called recycler (bunch of numbers).com from my system and promptly had soundcard issues. Other issues I face are:

    1) Spybot and Malwarebytes will not run or reinstall.
    2) System restore will not work.
    3) I can't get into safe mode.
    4) services.msc settings for the souond card will not hold, I constantly have to go in there and reset them.
    5) Svchost.exe errors
    6) Windows update keeps taking me to search engine home pages (no matter what I click).

    I have virus scanned using both Norton and Housecall (TrendMicro), scanned using Norton SystemWorks, turned off automatic updates and I've even reinstalled SP3 for XP. I have exhausted everything I know how to do and come to this forum for help. My next option is to format/reinstal and I'd rather not do that.

    I've posted my hijackthis! log - Let me express my thanks in advance : )
     
  2. kritius

    kritius TS Guru Posts: 2,084

    You have a few things in there that I want to check out.

    Fix entries using HiJackThis

    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8A48CAB4-5DA2-4C89-98E5-C2D712B952E7}: NameServer = 85.255.112.198,85.255.112.70
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70


    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary



    There is a(re) file(s) I do not recognize, please carry out the following:

    • Please visit Jotti Online Malware Scan
    • Copy the following line into the white text box:
    • Code:
      C:\WINDOWS\system32\Serandom2.scr
    • Click Submit.
    • Please post the results of this scan to this thread.

    Note: If the server is busy at the above site, try this alternative site:

    • Go to Virus Total-Upload A File.
    • Copy the following line into the white text box:
    • Code:
      C:\WINDOWS\system32\Serandom2.scr
    • Click Send.
    • Please post the results of this scan to this thread.
     
  3. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Steps completed, new log posted

    Ok, I've removed the HijackThis! entries you asked me to check and scanned serandom2.scr at the first website and none of the scanners found anything. Serandom2.scr is a screensaver manager which I've had for years to run my 16-bit screensavers on XP.

    I know you did not ask for another HijackThis! log but I attached a new one in case you required it.

    Add to my list of symptoms Windows hangs at startup/shutdown. I did apparently repair the services.msc issue by setting the recovery options for the audio service to "restart after failure" (all three boxes) and wait time to zero.
     
  4. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    New development

    I lost my internet connection shortly after I posted my earlier reply. Fortunately I had this other computer sharing a KVM switch so I was able to post this.

    Outlook Express gives me this error message (attached as a .txt)
     
  5. mflynn

    mflynn TS Rookie Posts: 2,655

    Until kritius gets back to you!

    Do the below

    Type these lines exactly to an open command prompt

    netsh interface ip delete arpcache
    ipconfig /flushdns
    ipconfig /release *
    ipconfig /renew *
    ipconfig /registerdns
    nbtstat -RR
    netsh winsock reset catalog
    netsh int ip reset
    then reboot and if internet is back up continue below!

    Continue

    The Malware you have recognizes SAS and MBAM and is specifically blocking them.

    Download alternate installers (below) for both SAS and MBAM they should install.

    MBAM
    Here http://malwarebytes.gt500.org/mbam-rules.exe
    Or here http://www.malwarebytes.org/mbam/dat...mbam-rules.exe

    For SAS

    Get http://downloads.superantispyware.co...s/SAS_FREE.EXE
    If it installs and still don't run the get http://www.superantispyware.com/downloads/RUNSAS.EXE
    Then execute Runsas.exe instead of the SAS Icon.


    Mike
     
  6. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    unable to comply - RPC server unavailable

    Hello,

    Thank you for replying - I attempted to follow your instructions but encountered an issue when I put in the ipconfig / release * and received this message:

    "an error occurred while releasing interface local area connection, the RPC server is unavailable"

    after that, none of the commands worked. I did apparently receive some startup/shutdown efficiency back but that maybe temporary.

    I'll keep email on my laptop open and check it often.
     
  7. kritius

    kritius TS Guru Posts: 2,084

    Can you get me a list of installed programs?

    To get an Uninstall List from HijackThis:

    • Open HijackThis, click Config, click Misc Tools
    • Click "Open Uninstall Manager"
    • Click "Save List" (generates uninstall_list.txt)
    • Click Save, copy and paste the results in your next post.
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    OK do the below then

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    exit
    exit
    Then without rebooting attempt to type the lines again.

    Mike

    EDIT: OK kritius I see you are back! If I can be of further help let me know!
     
  9. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Uninstal list

    To Kritius

    Here is my uninstal list (txt). I recognize most of what is in there but you may see something more...

    Thanks
     
  10. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Wonderful! the script has restored internet access. Thank you for the input. : )
     
  11. mflynn

    mflynn TS Rookie Posts: 2,655

    If you did post #8 the copy/paste operation and the manually typed lines then..

    Now try to continue the install of MBAM and SAS!

    Get us the logs.

    From your list of startups you must like screensavers but i would get rid of them all!

    Bifix is defunct!
    Adware 6 is defunct get Adawre 2008 if you are going to use Adaware.
    Java is out of date

    If you have other issues running our Steps/procedures and cleaners turn of Zone Alarm and disable Norton.

    How to disable here
    Disable your installed Malware and Virus protections for these TechSpot Tools and malware scans. This is Step 2 of the 8 Steps!

    For AVG Network Scanner service: Start-Run
    type
    MSCONFIG. Hit OK and select the SERVICES tab and un-check AVG Free8 WatchDog.
    Click APPLY, then OK.
    When you restart your computer AVG won't be running.

    Simply undo this procedure when finished Malware scans.

    From the 8 Steps #3 http://www.techspot.com/vb/topic118528.html
    http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html
    http://www.bleepingcomputer.com/forums/topic114351.html

    Mike
     
  12. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    MBAM and SAS still won't install

    I simply copied/pasted #8 twice into the CMD prompt and that restored internet access. There were no other "to be typed" lines that I could see and I thought I was thorough.

    However, Malwarebytes and Spybot still will not function; they instal but do not open/operate.

    I'm having a better time with startup and shut down, the sound issues are apparently fixed and the RPC issue looks resolved. I still have updates turned off and have turned off system restore since it wasn't working. Windows update links are now going to the correct destinations but I am still getting those svchost.exe errors albeit less frequently.

    Log attached.
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    I was talking about these from post #5. The only lines I asked you to "type in" !

    But if Copy/paste fixed it then it was unneeded.

    Run HJT Scan only and select and Fix all lines listed below
    Any line that has (file missing) at the END of the line ONLY at the end. There are other HJT entries. we will get back to later

    Now boot to Safe Mode Networking and do this copy/paste.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    cd\
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    
    sc stop TDSSserv.sys
    sc delete TDSSserv.sys
    :: Above sc commands first stops then deletes service if it exists
    ::
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
    reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
    ::
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
    ::The above reg commands first unloads the reg keys then deletes these keys.
    ::
    Attrib -h -s -r tdss*.* /s
    del /f /q /s tdss*.*
    :: The above two lines first clears protective attributes then 
    :: deletes all files on Drive beginning with the name tdss
    
    :: Remove AntiVirus2009
    attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
    del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
    del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
    del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"
    
    rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"
    
    attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
    rd /s/q "c:\Program Files\Antivirus 2009"
    
    attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
    attrib -h -s -r c:\WINDOWS\system32\scui.cpl
    attrib -h -s -r c:\WINDOWS\system32\winsrc.dll
    
    del /f /q c:\WINDOWS\system32\ieupdates.exe
    del /f /q c:\WINDOWS\system32\scui.cpl
    del /f /q c:\WINDOWS\system32\winsrc.dll
    
    attrib -h -s -r c:\program files\xwdxqu.txt
    attrib -h -s -r c:\windows\x
    attrib -h -s -r c:\windows\SxsCaPendDel
    
    del /f /q c:\program files\xwdxqu.txt
    del /f /q c:\windows\x
    del /f /q c:\windows\SxsCaPendDel
    
    attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
    attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
    attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys
    
    del /f /q c:\windows\system32\drivers\qh3s.sys 
    del /f /q c:\windows\system32\drivers\jsdpp32.sys
    del /f /q c:\windows\system32\drivers\oxauau96.sys
    
    reg delete HKLM\SOFTWARE\swearware /f
    reg delete HKCU\Software\Wget /f
    reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f
    
    :: rootkit gaopdxserv
    attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
    attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop gaopdxserv.sys.sys
    sc delete gaopdxserv.sys.sys
    
    del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
    del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
    del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"
    
    sc stop WinSvchostManager
    sc delete WinSvchostManager
    
    sc stop ntndis
    sc delete ntndis
    
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
    attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
    del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"
    
    sc stop u_lehj
    sc delete u_lehj
    
    attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
    del /f /q "c:\program files\Common Files\System\u_lehj32.dll"
    
    attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
    attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"
    
    del /f /q "C:\WINDOWS\system32\svcprs32.exe"
    del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
    del /f /q "C:\WINDOWS\system32\mdmcls32.exe"
    
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
    reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f
    
    reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
    reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
    reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
    echo Finshed ripping out Antivirus 2008-9
    :: Fix associations
    ftype exefile="%1" %*
    ftype batfile="%1" %*
    ftype cmdfile="%1" %*
    ftype comfile="%1" %*
    ftype scrfile="%1" /S
    ftype regfile="regedit.exe" "%1"
    ftype piffile="%1" %*
    ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
    ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*
    
    assoc .exe=exefile
    assoc .bat=batfile
    assoc .cmd=cmdfile
    assoc .com=comfile
    assoc .scr=scrfile
    assoc .reg=regfile
    assoc .pif=piffile
    assoc .lnk=lnkfile
    assoc .inf=inffile
    assoc .vbs=VBSFile
    assoc .js=JSFile
    exit
    exit
    This should run and exit!

    It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

    Now shoot for the MBA and SAS.

    Mike
     
  14. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Hi Mike,

    I ran that script in safe mode for networking but it did not restore functionality to Spybot or Malwarebytes. I am, however, running SAS_Free/Runsas from post #5. The downloads for MBAM were either ineffective or a dead link. I will post again after runsas finishes; it already found one parasite.coolwebsearch variant
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    OK good!

    Only after posting the log do the below and if it works we will get somewhere!

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.

    SPECIAL NOTE: If ComboFix will not run then rename ComboFix.exe to 12cbo34.exe and run that.
    =========================================

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    Mikw
     
  16. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Runsas success

    Hi Mike,

    I just logged in to post that Runsas found alot of junk and now Spybot and Malwarebytes come up and have updated. Here is the HijackThis Log (as txt).
     
  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Not interested in HJT at this time.

    Get me the SAS log! Click Preferences Statistics/Logs and attach the log.

    It is extremely important that we know what you cleaned as it is a deciding factor in how wee proceed!

    Do not omit sending logs!

    Mike
     
  18. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    SAS log

    Here it is as well as the combofix log
     
  19. mflynn

    mflynn TS Rookie Posts: 2,655

    Okey dookie!

    Little infested there aren't we! Not infected infested!

    Another run indicated!
    OK there were found/removed items in both SAS and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another SAS Quick Scan will likely find more. So UPDATE run again.

    Run Combofix and paste a new log.

    As soon as this log is posted we should have broken enough loose that MBA will now run. So try it again. If the normal MBAM does not install/update or run then try the alternate mbam-rules installer.

    Mike
     
  20. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    Didn't find anything from what I could see

    Here they are - while you're looking these over, I will try and run Malwarebytes.

    Ok, Malwarebytes works...
     
  21. mflynn

    mflynn TS Rookie Posts: 2,655

    OK if we can see a clean MBAM log we may be finished.

    How is the computer running now? Any issues?

    Check all issues from your initial post and if any issues left we will address them directly!

    Ok post the MBAM log when finished!

    Mike
     
  22. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    MBAM log

    Everything appears clear - all symptoms have disappeared up to now.

    What was it that caused all this grief? I'm actually an advanced, computer user and whatever this was cut through my stuff like it wasn't there. Any advice?

    Thank you for all you've done.

    Albert
     
  23. kritius

    kritius TS Guru Posts: 2,084

    You could possibly find that the multiple firewalls could have conflicted with each other, Norton had a firewall and then there was Zone alarm.

    Another optional removal could be the Viewpoint media player.

    Go to Start > Run and copy/paste or type: taskmgr
    • Under the Processes tab find the following tasks or processes:
      ViewpointService.exe
      ViewMgr.exe
    • Highlight and click "End Process".
    • Exit Task Manager.
    Click on Start > Run and type: services.msc
    • Press "OK".
    • Click the "Extended tab".
    • Scroll down the list and find the service called "Viewpoint Manager Service"
    • When you find the service, double-click on it.
    • In the Properties Window > General Tab that opens, click the "Stop" button.
    • From the drop-down menu next to "Startup Type", click on "Disabled".
    • Now click "Apply", then "OK" and close any open windows.
    Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

    Finally, delete the following folders if they still exist:
    C:\Program Files\ViewManager\ <-- and delete this folder
    C:\Program Files\Viewpoint\ <-- and delete this folder
     
  24. mflynn

    mflynn TS Rookie Posts: 2,655

    I agree 100% with kritius. I don't like Norton Virus scanner or Firewall nor ZA!

    Anyways before I do my closing do the below.

    1. A fresh HJT log

    2. Update Java as below
    Download JavaRa http://prm753.bchea.org/JavaRa.html

    Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: http://www.java.com/en/download/manual.jsp

    After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

    Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

    After that run Search for Updates again to confirm you are up to date.
    After that run remove older versions again. This time the Log file should be empty.

    3. Because of the quantity and quality (meaning very bad issues) I recommend an alternitive Virus scan so..

    Go here: http://www.techspot.com/vb/post724044-3.html

    Get and run DrWeb CurIt.

    Once the above is complete my closing will cover other issues and give further advice on protections.

    Mike
     
  25. kenobi575

    kenobi575 TS Rookie Topic Starter Posts: 55

    All clear

    Here's the last HJT log after updating java and running Dr.Web cureIt.

    I've never had any problems with Norton Antivirus Corporate or ZoneAlarm. The issues started when I connected a hard drive via IDE to USB cable to clear it for format/reinstal.


    I take it this means that we were looking at a multifaceted infestation; part maleware,part virus???
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...