matrix virus?

Perhaps you should have follow the instructions given to you last time you came here asking for help. I reference this http://forums.majorgeeks.com/showthread.php?t=118968 where you posted a request for help and then ignored the message. Do you plan on following thru this time, because the instructions are the same?

 

They are our only insight into what is really going on in your computer and they are necessary steps in order for us to be able to help. Hundreds of novice PC users run them each week. Just follow them slow, one step at a time and in the order written. Don't skip or jump around because that will confuse your.

Attach the requested logs when finished.

 

You're welcome. There are quite a few malware programs out there that will disable protection software. Running those steps which will help us find your problem.

 

In the future, please attach the full logs from the programs as requested. Do not post logs inline with your messages.

Who is the administrator of this PC? For the user account that you are running the scans on, what type of account is it? (i.e., is it an account with Administrator priviledges or is it a restricted account). Also you must makes sure that you are not blocking the programs from running via your antivirus program!!

When you tried to run Panda and BitDefender, did you do what step 6 instructed first? That is, uninstall ALL old Sun Java versions and install the current version?? Also what browser were you using?

What about a HijackThis log as requested in step 7 of the READ ME.

 

Try booting in safe mode and logging into the account that is really named Administrator. Can you run MSconfig properly now? What about GetRunKey and ShowNew?

Are you going to attach any logs? Like HijackThis?

 

Were did you get the copy of McAfee that you are running? It appears to possibly be some kind of beta test version.

I have to ask you why you are blocking Windows Explorer and what is the popup from? If you block applications from running using your antivirus or firewall then you will obviously have all kinds of problems. I would suggest that you disable all the features you have configured in McAfee. You need to understand how to use and configure the software you install on your PC. Perhaps it would even be easier at this point if you just totally uninstalled McAfee. You may find that all your troubles may clear up after doing that.


Note you also never uninstall the Viewpoint Manager / Viewpoint software as requested in step 0 of the READ ME.

Also see a service left over from having Symantec installed at some point. Did you have Symantec AV installed in the past? Did you uninstall it before or after installing McAfee?

 

I suggest you start to resolve your problems by uninstalling McAfee.

After uninstalling McAfee, reboot and attach new logs from ShowNew and HijackThis.

We have several very good free antivirus programs and firewalls that will give you less headaches than McAfee.

Now Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please attach the BlackLight log.

​

You misunderstood! You need to uninstall all things you see in Add/Remove Programs that are named Viewpoint....... etc. Step 0 of the READ ME gives a list of about 300 items to uninstall. Several items with Viewpoint are listed.

 

Try the below and tell me what happens!

• Click Start, Run and Copy & Paste in the below command exactly as given:

REG add HKCU\Software\Policies\Microsoft\Windows\System /v DisableCMD /t REG_DWORD /d 0 /f


If you get any messages, tell me what they say. If you get one asking you to approve the change click Yes or OK.

Now can you run GetRunKey and ShowNew.

 

Okay it looks like McAfee did not uninstall properly. Let's fix this.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Network Associates McShield
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now repeat the above to Stop and Disable the below two Services (if you do not find them or get any errors, just continue):
  • Network Associates Task Manager
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste McShield into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now repeat the above to delete the below two Services (if you do not find them or get any errors, just continue):
  • McTaskManager
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Uninstall the Sunbelt CounterSpy trial since we are finished with it now!

Now delete the below two folders if found.
C:\Documents and Settings\Beatriz Sanchez\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Sunbelt Software

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\winsock32.sys

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).
If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Please do note quote my procedures for no reason. It clutters up the thread and makes it longer than necessary. Just click Reply instead of Quote! Only quote like I did below when it is necessary to address a particular item.

No it did not say that! It said

It said No matches found. Thus as it already stated, you do not have the worm.


You did not tell me how things are working.

Note I don't recommend using both Windows Defender and Spyware Doctor. Is Spyware Doctor a paid version?

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Automatic LiveUpdate Scheduler
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteAutomatic LiveUpdate Scheduler into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when if tells you it needs to.

Now attach a new HJT log.

 

Your log is clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome.

I will give a couple things to look at related to System Restore. If they don't help, you will have to continue to work this in the Software Forum. It could just be that your System Restore service has been stopped.

Start with this.

• run Windows Explorer and navigate to C:\Windows\inf
• scroll down to locate the file names sr.inf and right click on it and select Install
• follow any prompts

If the above does not help try this.

Now Copy the bold text below to notepad. Save it as fixSR.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

If that does not help, take a look at the below link:

How to troubleshoot the System Restore tool in Windows XP

 

You need the CD to reinstall System Restore. I cannot help you any further with this in this forum anyway, but without the CD you will not be able to fix it.

 

You're welcome. Try the step with sr.inf again once you have your CD.

 

Well the tech guy is any idiot because anyone who knows even the slightest bit about PCs could tell you that a system recovery brings your PC back into the state that the company shipped it to you. You should scream at them about this and you should insist upon getting a Windows XP CD to avoid future problems like this. In addition the System Recovery was totally unncessary. If they had given you a CD like they should when you purchase the PC, you could have run the sr.inf file procedure and your problems would most likely have been fixed.

 

Then perhaps what he had you run is not the kind of operation that I was thinking where they bring you back to a shipped condition. That kind of operation would just restore the whole original partition of how your PC was shipped to you. If they did not do this than many things that you have downloaded may still exist. However anything that truly required an installation (things that modify the registry which Pocket Killbox does not do) may or may not work. It all depends on exactly what there System Recovery truly did. It is possible that it does not change the registry but just restores all system related files.

You should look through your hard disk. You may not have lost the data you though you lost.