Services.msc settings won't hold / sound issues

[kenobi575]

Hello,

I recently cleared something called recycler (bunch of numbers).com from my system and promptly had soundcard issues. Other issues I face are:

1) Spybot and Malwarebytes will not run or reinstall.
2) System restore will not work.
3) I can't get into safe mode.
4) services.msc settings for the souond card will not hold, I constantly have to go in there and reset them.
5) Svchost.exe errors
6) Windows update keeps taking me to search engine home pages (no matter what I click).

I have virus scanned using both Norton and Housecall (TrendMicro), scanned using Norton SystemWorks, turned off automatic updates and I've even reinstalled SP3 for XP. I have exhausted everything I know how to do and come to this forum for help. My next option is to format/reinstal and I'd rather not do that.

I've posted my hijackthis! log - Let me express my thanks in advance : )

 

[kritius]

You have a few things in there that I want to check out.

Fix entries using HiJackThis

• Launch HiJackThis
  
• Click the Do a system scan only button
  
• Put a check next to the entries listed below
  

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A48CAB4-5DA2-4C89-98E5-C2D712B952E7}: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70

• IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
  
• Click the Fix checked button and close HiJackThis
  
• Reboot HijackThis if necessary

There is a(re) file(s) I do not recognize, please carry out the following:

• Please visit Jotti Online Malware Scan
  
• Copy the following line into the white text box:
  

• C:\WINDOWS\system32\Serandom2.scr

• Click Submit.
  
• Please post the results of this scan to this thread.

Note: If the server is busy at the above site, try this alternative site:

• Go to Virus Total-Upload A File.
  
• Copy the following line into the white text box:
  

• C:\WINDOWS\system32\Serandom2.scr

• Click Send.
  
• Please post the results of this scan to this thread.

 

[kenobi575]

Steps completed, new log posted

Ok, I've removed the HijackThis! entries you asked me to check and scanned serandom2.scr at the first website and none of the scanners found anything. Serandom2.scr is a screensaver manager which I've had for years to run my 16-bit screensavers on XP.

I know you did not ask for another HijackThis! log but I attached a new one in case you required it.

Add to my list of symptoms Windows hangs at startup/shutdown. I did apparently repair the services.msc issue by setting the recovery options for the audio service to "restart after failure" (all three boxes) and wait time to zero.

 

[kenobi575]

New development

I lost my internet connection shortly after I posted my earlier reply. Fortunately I had this other computer sharing a KVM switch so I was able to post this.

Outlook Express gives me this error message (attached as a .txt)

 

[mflynn]

Until kritius gets back to you!

Do the below

Type these lines exactly to an open command prompt

netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock reset catalog
netsh int ip reset
then reboot and if internet is back up continue below!

Continue

The Malware you have recognizes SAS and MBAM and is specifically blocking them.

Download alternate installers (below) for both SAS and MBAM they should install.

MBAM
Here http://malwarebytes.gt500.org/mbam-rules.exe
Or here http://www.malwarebytes.org/mbam/dat...mbam-rules.exe

For SAS

Get http://downloads.superantispyware.co...s/SAS_FREE.EXE
If it installs and still don't run the get http://www.superantispyware.com/downloads/RUNSAS.EXE
Then execute Runsas.exe instead of the SAS Icon.


Mike

 

[kenobi575]

unable to comply - RPC server unavailable

Hello,

Thank you for replying - I attempted to follow your instructions but encountered an issue when I put in the ipconfig / release * and received this message:

"an error occurred while releasing interface local area connection, the RPC server is unavailable"

after that, none of the commands worked. I did apparently receive some startup/shutdown efficiency back but that maybe temporary.

I'll keep email on my laptop open and check it often.

 

[kritius]

Can you get me a list of installed programs?

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
  
• Click "Open Uninstall Manager"
  
• Click "Save List" (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.

 

[mflynn]

OK do the below then

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
sc config Alerter start= disabled
sc stop Alerter

sc config AeLookupSvc start= disabled
sc stop AeLookupSvc

sc config ClipBook start= disabled
sc stop ClipBook

sc config Dfs start= disabled
sc stop Dfs

sc config FastUserSwitchingCompatability start= disabled
sc stop FastUserSwitchingCompatability

sc config TrkWks start= disabled
sc stop TrkWks

sc config TrkSvr start= disabled
sc stop TrkSvr

sc config DNSCache start= disabled
sc stop DNSCache

sc config ERSvc start= disabled
sc stop ERSvc

sc config HidServ start= disabled
sc stop HidServ

sc config PolicyAgent start= disabled
sc stop PolicyAgent

sc config CiSvc start= disabled
sc stop CiSvc

sc config IsmServe start= disabled
sc stop IsmServ

sc config kdc start= disabled
sc stop kdc

sc config LicenseService start= disabled
sc stop LicenseService

sc config Messenger start= disabled
sc stop Messenger

sc config Netlogon start= disabled
sc stop Netlogon

sc config NetTcpPortSharing start= disabled
sc stop NetTcpPortSharing

sc config mnmsrvc start= disabled
sc stop mnmsrvc

sc config NetDDE start= disabled
sc stop NetDDE

sc config NetDDEdsdm start= disabled
sc stop NetDDEdsdm

sc config NtLmSsp start= disabled
sc stop NtLmSsp

sc config SysmonLog start= disabled
sc stop SysmonLog

sc config RSVP start= disabled
sc stop RSVP

sc config SSDPSRV start= disabled
sc stop SSDPSRV

sc config upnphost start= disabled
sc stop upnphost

sc config WMPNetworkSvc start= disabled
sc stop WMPNetworkSvc

sc config WmiApSrv start= disabled
sc stop WmiApSrv

sc config WmdmPmSN start= disabled
sc stop WmdmPmSN

sc config RemoteRegistry start= disabled
sc stop RemoteRegistry

sc config RemoteAccess start= disabled
sc stop RemoteAccess

sc config SCardSvr start= disabled
sc stop SCardSvr

sc config TlnSvr start= disabled
sc stop TlnSvr

sc config UPS start= disabled
sc stop UPS

sc config WebClient start= disabled
sc stop WebClient

sc config DNSCache start= disabled
sc stop DNSCache

sc config RpcSs start= Automatic
sc start RpcSs

sc config RpLocator start= Automatic
sc start RpcLocator

sc config MSIServer start= Automatic
sc start MSIServer
exit
exit

Then without rebooting attempt to type the lines again.

Mike

EDIT: OK kritius I see you are back! If I can be of further help let me know!

 

[kenobi575]

Uninstal list

To Kritius

Here is my uninstal list (txt). I recognize most of what is in there but you may see something more...

Thanks

 

[kenobi575]

Wonderful! the script has restored internet access. Thank you for the input. : )

 

[mflynn]

If you did post #8 the copy/paste operation and the manually typed lines then..

Now try to continue the install of MBAM and SAS!

Get us the logs.

From your list of startups you must like screensavers but i would get rid of them all!

Bifix is defunct!
Adware 6 is defunct get Adawre 2008 if you are going to use Adaware.
Java is out of date

If you have other issues running our Steps/procedures and cleaners turn of Zone Alarm and disable Norton.

How to disable here
Disable your installed Malware and Virus protections for these TechSpot Tools and malware scans. This is Step 2 of the 8 Steps!

For AVG Network Scanner service: Start-Run
type
MSCONFIG. Hit OK and select the SERVICES tab and un-check AVG Free8 WatchDog.
Click APPLY, then OK.
When you restart your computer AVG won't be running.

Simply undo this procedure when finished Malware scans.

From the 8 Steps #3 https://www.techspot.com/vb/topic118528.html
http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html
http://www.bleepingcomputer.com/forums/topic114351.html

Mike

 

[kenobi575]

MBAM and SAS still won't install

I simply copied/pasted #8 twice into the CMD prompt and that restored internet access. There were no other "to be typed" lines that I could see and I thought I was thorough.

However, Malwarebytes and Spybot still will not function; they instal but do not open/operate.

I'm having a better time with startup and shut down, the sound issues are apparently fixed and the RPC issue looks resolved. I still have updates turned off and have turned off system restore since it wasn't working. Windows update links are now going to the correct destinations but I am still getting those svchost.exe errors albeit less frequently.

Log attached.

 

[mflynn]

I was talking about these from post #5. The only lines I asked you to "type in" !

Type these lines exactly to an open command prompt

netsh interface ip delete arpcache
ipconfig /flushdns
ipconfig /release *
ipconfig /renew *
ipconfig /registerdns
nbtstat -RR
netsh winsock reset catalog
netsh int ip reset
then reboot and if internet is back up continue below!

But if Copy/paste fixed it then it was unneeded.

Run HJT Scan only and select and Fix all lines listed below
Any line that has (file missing) at the END of the line ONLY at the end. There are other HJT entries. we will get back to later

Now boot to Safe Mode Networking and do this copy/paste.

Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.

Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

@echo off
cd\
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile

sc stop TDSSserv.sys
sc delete TDSSserv.sys
:: Above sc commands first stops then deletes service if it exists
::
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata"
reg unload "HKEY_LOCAL_MACHINE\SOFTWARE\tdss"
::
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\tdss" /f
::The above reg commands first unloads the reg keys then deletes these keys.
::
Attrib -h -s -r tdss*.* /s
del /f /q /s tdss*.*
:: The above two lines first clears protective attributes then 
:: deletes all files on Drive beginning with the name tdss

:: Remove AntiVirus2009
attrib -h -s -r "%UserProfile%\Desktop\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
attrib -h -s -r "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
attrib -h -s -r "%UserProfile%\Start Menu\Antivirus 2009\*.*"

del /f /q "%UserProfile%\Desktop\Antivirus 2009.lnk"
del /f /q  "%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 2009.lnk"
del /f /q "%UserProfile%\Local Settings\Temporary Internet Files\Content.IE5\S96PZM7V\winsrc[1].dll"
del /f /q "%UserProfile%\Start Menu\Antivirus 2009\*.*"

rd /s /q "%UserProfile%\Start Menu\Antivirus 2009"

attrib -h -s -r "c:\Program Files\Antivirus 2009\*.*"
rd /s/q "c:\Program Files\Antivirus 2009"

attrib -h -s -r c:\WINDOWS\system32\ieupdates.exe
attrib -h -s -r c:\WINDOWS\system32\scui.cpl
attrib -h -s -r c:\WINDOWS\system32\winsrc.dll

del /f /q c:\WINDOWS\system32\ieupdates.exe
del /f /q c:\WINDOWS\system32\scui.cpl
del /f /q c:\WINDOWS\system32\winsrc.dll

attrib -h -s -r c:\program files\xwdxqu.txt
attrib -h -s -r c:\windows\x
attrib -h -s -r c:\windows\SxsCaPendDel

del /f /q c:\program files\xwdxqu.txt
del /f /q c:\windows\x
del /f /q c:\windows\SxsCaPendDel

attrib -h -s -r c:\windows\system32\drivers\qh3s.sys
attrib -h -s -r c:\windows\system32\drivers\jsdpp32.sys
attrib -h -s -r c:\windows\system32\drivers\oxauau96.sys

del /f /q c:\windows\system32\drivers\qh3s.sys 
del /f /q c:\windows\system32\drivers\jsdpp32.sys
del /f /q c:\windows\system32\drivers\oxauau96.sys

reg delete HKLM\SOFTWARE\swearware /f
reg delete HKCU\Software\Wget /f
reg delete HKLM\Software\Classes\CLSID\{CD363BEC-7150-B887-530D-F3E2E0424EA} /f

:: rootkit gaopdxserv
attrib -h -s -r "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
attrib -h -s -r "c:\windows\system32\gaopdxqpqjwmyc.dll"
attrib -h -s -r "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop gaopdxserv.sys.sys
sc delete gaopdxserv.sys.sys

del /f /q "c:\windows\system32\drivers\gaopdxqfotrruc.sys"
del /f /q  "c:\windows\system32\gaopdxqpqjwmyc.dll"
del /f /q  "\c:\windows\system32\drivers\gaopdxuigiphwm.sys"

sc stop WinSvchostManager
sc delete WinSvchostManager

sc stop ntndis
sc delete ntndis

attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.exe"
attrib -h -s -r "C:\WINDOWS\system32\drivers\ntndis.sys"

del /f /q "C:\WINDOWS\system32\drivers\ntndis.exe"
del /f /q "C:\WINDOWS\system32\drivers\ntndis.sys"

sc stop u_lehj
sc delete u_lehj

attrib -h -s -r "c:\program files\Common Files\System\u_lehj32.dll"
del /f /q "c:\program files\Common Files\System\u_lehj32.dll"

attrib -h -s -r "C:\WINDOWS\system32\svcprs32.exe"
attrib -h -s -r "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
attrib -h -s -r "C:\WINDOWS\system32\mdmcls32.exe"

del /f /q "C:\WINDOWS\system32\svcprs32.exe"
del /f /q "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dllhost.exe"
del /f /q "C:\WINDOWS\system32\mdmcls32.exe"

reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gaopdxserv.sys" /f
reg delete "HKEY_LOCAL_MACHINE\Software\Classes\gaopdxvx" /f

reg delete "HKEY_CURRENT_USER\Software\75319611769193918898704537500611" /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{037C7B8A-151A-49E6-BAED-CC05FCB50328}" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "75319611769193918898704537500611" /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" "ieupdate" /f
echo Finshed ripping out Antivirus 2008-9
:: Fix associations
ftype exefile="%1" %*
ftype batfile="%1" %*
ftype cmdfile="%1" %*
ftype comfile="%1" %*
ftype scrfile="%1" /S
ftype regfile="regedit.exe" "%1"
ftype piffile="%1" %*
ftype inffile=%SystemRoot%\System32\NOTEPAD.EXE "%1"
ftype vbsfile=%SystemRoot%\System32\WScript.exe "%1" %*
ftype jsfile=%SystemRoot%\System32\WScript.exe "%1" %*

assoc .exe=exefile
assoc .bat=batfile
assoc .cmd=cmdfile
assoc .com=comfile
assoc .scr=scrfile
assoc .reg=regfile
assoc .pif=piffile
assoc .lnk=lnkfile
assoc .inf=inffile
assoc .vbs=VBSFile
assoc .js=JSFile
exit
exit

This should run and exit!

It is a coverall and you may see a few errors related to it addressing something you do not need. This is normal ignore.

Now shoot for the MBA and SAS.

Mike

 

[kenobi575]

Hi Mike,

I ran that script in safe mode for networking but it did not restore functionality to Spybot or Malwarebytes. I am, however, running SAS_Free/Runsas from post #5. The downloads for MBAM were either ineffective or a dead link. I will post again after runsas finishes; it already found one parasite.coolwebsearch variant

 

[mflynn]

OK good!

Only after posting the log do the below and if it works we will get somewhere!

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.

SPECIAL NOTE: If ComboFix will not run then rename ComboFix.exe to 12cbo34.exe and run that.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

Mikw

 

[kenobi575]

Runsas success

Hi Mike,

I just logged in to post that Runsas found alot of junk and now Spybot and Malwarebytes come up and have updated. Here is the HijackThis Log (as txt).

 

[mflynn]

Not interested in HJT at this time.

Get me the SAS log! Click Preferences Statistics/Logs and attach the log.

It is extremely important that we know what you cleaned as it is a deciding factor in how wee proceed!

Do not omit sending logs!

Mike

 

[kenobi575]

SAS log

Here it is as well as the combofix log

 

[mflynn]

Okey dookie!

Little infested there aren't we! Not infected infested!

Another run indicated!
OK there were found/removed items in both SAS and ComboFix so we need to run again as the first run likely exposed things that were not even seen the first time.

So another SAS Quick Scan will likely find more. So UPDATE run again.

Run Combofix and paste a new log.

As soon as this log is posted we should have broken enough loose that MBA will now run. So try it again. If the normal MBAM does not install/update or run then try the alternate mbam-rules installer.

Mike

 

[kenobi575]

Didn't find anything from what I could see

Here they are - while you're looking these over, I will try and run Malwarebytes.

Ok, Malwarebytes works...

 

[mflynn]

OK if we can see a clean MBAM log we may be finished.

How is the computer running now? Any issues?

Check all issues from your initial post and if any issues left we will address them directly!

Ok post the MBAM log when finished!

Mike

 

[kenobi575]

MBAM log

Everything appears clear - all symptoms have disappeared up to now.

What was it that caused all this grief? I'm actually an advanced, computer user and whatever this was cut through my stuff like it wasn't there. Any advice?

Thank you for all you've done.

Albert

 

[kritius]

You could possibly find that the multiple firewalls could have conflicted with each other, Norton had a firewall and then there was Zone alarm.

Another optional removal could be the Viewpoint media player.

'To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.'

Go to Start > Run and copy/paste or type: taskmgr

• Under the Processes tab find the following tasks or processes:
  ViewpointService.exe
  ViewMgr.exe
• Highlight and click "End Process".
• Exit Task Manager.

Click on Start > Run and type: services.msc

• Press "OK".
• Click the "Extended tab".
• Scroll down the list and find the service called "Viewpoint Manager Service"
• When you find the service, double-click on it.
• In the Properties Window > General Tab that opens, click the "Stop" button.
• From the drop-down menu next to "Startup Type", click on "Disabled".
• Now click "Apply", then "OK" and close any open windows.

Click on Start > Settings > Control Panel > Add/Remove Programs > highlight and remove all references to Viewpoint - i.e. Viewpoint, Viewpoint Manager, Viewpoint Media Player.

Finally, delete the following folders if they still exist:
C:\Program Files\ViewManager\ <-- and delete this folder
C:\Program Files\Viewpoint\ <-- and delete this folder

 

[mflynn]

I agree 100% with kritius. I don't like Norton Virus scanner or Firewall nor ZA!

Anyways before I do my closing do the below.

1. A fresh HJT log

2. Update Java as below
Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: https://www.techspot.com/downloads/6463-java-se.html

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.

3. Because of the quantity and quality (meaning very bad issues) I recommend an alternitive Virus scan so..

Go here: https://www.techspot.com/vb/post724044-3.html

Get and run DrWeb CurIt.

Once the above is complete my closing will cover other issues and give further advice on protections.

Mike

 

[kenobi575]

All clear

Here's the last HJT log after updating java and running Dr.Web cureIt.

I've never had any problems with Norton Antivirus Corporate or ZoneAlarm. The issues started when I connected a hard drive via IDE to USB cable to clear it for format/reinstal.


I take it this means that we were looking at a multifaceted infestation; part maleware,part virus???