General discussion

Sound Card Virus?

Hello... I could not find this topic already addressed. I was listening to music on my computer when I opened a Zip file I had downloaded... my Windows Media player shut down, followed by my whole computer shutting down. When I re-booted everything was fine except the computer did not recognize my sound card (C-Major Sigma Tel Audio.)

In Control Panel my Volume Control is greyed out and lists "No Audio Device." The Audio tab is greyed out: "No Playback Devices, No Recording Devices, No Midi Devices." On the Hardware tab I highlight my soundcard: "PCI Bus 0, device 31, function 5- This device is working properly" Under Audio Codecs & Legacy Audio Drivers I get "Location Unknown" but "These devices are working properly." I have tried uninstalling the sound card and re-installing, restarting the audio Services under the Administrative Options tab, and more... the sound was working again for five minutes until I turned the computer off.

I can't get it going again since I turned it back on... any suggestions?

Thanks!

Discussion is locked
Follow
Reply to: Sound Card Virus?
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Sound Card Virus?
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
First try?

Use System Restore to a day before the problem.

- Collapse -
Thanks

Thanks, I tried System Restore but it did not work. Any other ideas?

- Collapse -
You might be a Norton user.

Symantec does tell how to fix that issue. Your post is too light on details to go much further.

- Collapse -
Malwarebytes Scan

I have Malwarebytes Anti-Malware software. I had Norton Antivirus but it has been rendered unusable since this attack.

Here is my logfile after running a Malwarebytes System Scan:
Malwarebytes' Anti-Malware 1.34
Database version: 1890
Windows 5.1.2600 Service Pack 3

3/26/2009 8:53:53 AM
mbam-log-2009-03-26 (08-53-53).txt

Scan type: Full Scan (C:\|)
Objects scanned: 150728
Time elapsed: 58 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa (Rootkit.Bagle) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Mike Liberty\Application Data\m (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\Documents and Settings\Mike Liberty\Application Data\drivers\srosa2.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP557\A0186014.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP557\A0186102.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP558\A0187102.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP559\A0187171.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP559\A0187228.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5B569949-7F2C-4454-8B46-89D4173A3CB8}\RP559\A0187248.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike Liberty\Application Data\m\data.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike Liberty\Application Data\m\list.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike Liberty\Application Data\m\srvlist.oct (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Mike Liberty\Application Data\drivers\winupgro.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\mdelk.exe (Trojan.Spammer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wintems.exe (Trojan.Spammer) -> Delete on reboot.
C:\Documents and Settings\Mike Liberty\Application Data\m\flec006.exe (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\Mike Liberty\Application Data\drivers\wfsintwq.sys (Rootkit.Bagle) -> Quarantined and deleted successfully.

I delete infected files, reboot & re-scan and everything is back. Any advice?

- Collapse -
How did I guess Norton.

It remains the primary cause of System Restore failures I encounter.

Here's a link on what to try to let you use system restore -> http://service1.symantec.com/SUPPORT/sharedtech.nsf/pfdocs/2005113009323013

I didn't find the source document about this but you can disable the Norton tamper seal and restore the machine. At least I've been able to so far. If that is not possible, ask Symantec how to repair the damage they caused.

If Symantec disowns you read and post in a malware forum like http://www.malwarebytes.org/forums/lofiversion/index.php/t11684.html
Bob

- Collapse -
Yikes

The problem is the virus prevents me from opening Norton Antivirus to disable the tamper seal to run System Restore!

Any time I try to run or open any Norton product I get the error message: "BLANK is not a valid Win32 application." Is there any back door to get into Norton to disable the seal so I can do a system restore?

Thanks for your help so far!

- Collapse -
Either call that in to Symantec

Heck you paid for it.

Or consider this. Google can't find anyone with "BLANK is not a valid Win32 application."

Head to forums that help people recover from pests. This is not so much a XP issue but a Symantec travesty.
Bob

- Collapse -
Sound card virus? Uninstall Norton

I had bought a brand new laptop in March and while it has Windows 8 on it (boo hiss) it worked ok until the preinstalled Norton anti-virus software ran out on its trial period. A week past that date (three days ago), my sound card mysteriously quit working. I tried system restore, etc and it did not work.. What worked? I uninstalled Norton and all Symantec components. MY sound card is back. Thanks CNET!

It seems as though Norton does this on purpose to get people to renew the product. This ticks me off because I almost took this comp in to get a $99 diagnostic & was prepared to wait 2 months computerless to see if the manufacturer would install a new one. This is BS. Norton has always put out bad software with all kinds of crap you don't need and messes things up. Why do manufacturers include this stupid program on all new models? It's either Norton or McAfee, and both are garbage, IMO. If this happens to you, and if you have Norton, dump it out of your system and see if it works afterward.

CNET Forums