Tech Support Forum - View Single Post - The nvctrl.exe monster that won't die

sUBs · 02-21-2006, 03:43 PM

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *

Download & install - CleanUp.exe (not recommended for WinXP64)

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *

Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:

ViewPoint

Please note any other programs that you dont recognize in that list in your next response

* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *

Click Start -> Run - type SERVICES.MSC & then click on the OK button

Locate the service - WindowInstallSystem (a1cdd0ce23csvr)
Double-click on it to open the Properties dialog.
- Change the Startup type to Disabled & then click on the Apply button
- Stop the service by using the Stop button.
Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
In the popup box that appears, copy/paste a1cdd0ce23csvr
Click on the OK button & answer No if prompted to reboot

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O23 - Service: WindowInstallSystem (a1cdd0ce23csvr) - Unknown owner - C:\WINDOWS\a1cdd0ce23c.exe

* * * *

Next go to Control Panel click Display>Desktop>Customize Desktop>Website
Under the 'Web pages' box, Uncheck everything present.

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *

Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:

Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! does not create any backups!!

* * * * * * USING HIJACKTHIS' DELETE ON REBOOT * * * * * *

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

In the popup box that appears, copy/paste in:
- C:\WINDOWS\a1cdd0ce23c.exe
Click the Open button.
Click YES when prompted to restart your computer.

* * * * * *

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *

In your next post, please include fresh logs from:

HiJackThis

Online scan

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

02-21-2006, 03:43 PM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,480 OS: N/A	Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. * * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * * Download & install - CleanUp.exe (not recommended for WinXP64) 'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downlaoding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. * * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * * Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs: ViewPoint Please note any other programs that you dont recognize in that list in your next response * * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * * Click Start -> Run - type SERVICES.MSC & then click on the OK button Locate the service - WindowInstallSystem (a1cdd0ce23csvr) Double-click on it to open the Properties dialog. - Change the Startup type to Disabled & then click on the Apply button - Stop the service by using the Stop button. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service In the popup box that appears, copy/paste a1cdd0ce23csvr Click on the OK button & answer No if prompted to reboot * * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * * Do a HijackThis scan & place a check next to these items and select "Fix checked": O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O23 - Service: WindowInstallSystem (a1cdd0ce23csvr) - Unknown owner - C:\WINDOWS\a1cdd0ce23c.exe * * * * Next go to Control Panel click Display>Desktop>Customize Desktop>Website Under the 'Web pages' box, Uncheck everything present. * * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * * Run Cleanup! using the following configuration: 1. Click Options... 2. Set the slider initially to Standard CleanUp! 3. Uncheck the following: Delete Newsgroup cache Delete Newsgroup Subscriptions Scan local drives for temporary files 4. Click OK 5. Press the CleanUp! button to start the program. 6. Do NOT reboot/logoff if prompted. * CleanUp! does not create any backups!! * * * * * * USING HIJACKTHIS' DELETE ON REBOOT * * * * * * Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot... In the popup box that appears, copy/paste in: C:\WINDOWS\a1cdd0ce23c.exe Click the Open button. Click YES when prompted to restart your computer. * * * * * * Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan * * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * * In your next post, please include fresh logs from: HiJackThis Online scan Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now __________________ Question - what have you done for the community today? Last edited by sUBs; 02-21-2006 at 03:46 PM.