|
|
| Author |
Message |
Beardyface
Joined: 05 Nov 2009
Posts: 3
|
 Posted: Thu Nov 05, 2009 4:02 pm Post subject: Advent PC with more than 1 virus |
 |
|
 I have an Advent PC running Windows Vista Home Premium which has more than 1 virus on it......I have tried various Spyware anti-virus progs to remove them, but to no avail. This PC was purchased from new but did not come with any restore/revovery discs, I have lost the original manuals.......What I would like to know is what keys to press on boot up, to enable me to do a fresh install of the operating system.
Thanks Beardyface.... |
|
| Back to top |
|
 |
|
|
SoftStag
Joined: 05 Feb 2006
Posts: 1962
Location: UK
|
| Posted: Thu Nov 05, 2009 6:11 pm Post subject: |
|
|
Hi Beardyface, welcome to the forums.
I don't believe that you will be able to reload the computer without an Advent reload CD. You can buy such reload CDs from here.
Alternatively, we could try to remove the malware that is on your system. If you want to go down this route, please post a HijackThis Log.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine |
|
| Back to top |
|
|
Beardyface
Joined: 05 Nov 2009
Posts: 3
|
| Posted: Fri Nov 06, 2009 8:30 pm Post subject: |
|
|
As requested please find below the HiJackthis Log file. I have appended to the bottom of the list some further information that might be useful.
==============================================================================================
HiJack log file from Beardyface....RE Advent PC with more than 1 virus
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:52, on 06/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\restorer32_a.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\prime95.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Altap Salamander 2.5\salamand.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
L:\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [installed] C:\Windows\system32\winlogon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Prime95] C:\prime95.exe
O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O13 - Gopher Prefix:
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\Windows\system32\FastNetSrv.exe
O23 - Service: GWQP - Sysinternals - www.sysinternals.com - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
--
End of file - 5287 bytes
=========================================================================
I have since noticed that 3 porn website shortcuts have appeared on my Desktop.....When I do a properties check
on them, they show as follows...."p://clicks.totemash.com/s=42810&p=21&pp=1". Am I right in assuming that the "p:"
is a hidden partition on my hard drive, and the remainder obviously points to a porn web site.
Thanks Beardy |
|
| Back to top |
|
|
SoftStag
Joined: 05 Feb 2006
Posts: 1962
Location: UK
|
| Posted: Sun Nov 08, 2009 2:18 pm Post subject: |
|
|
| Beardyface wrote: | I have since noticed that 3 porn website shortcuts have appeared on my Desktop.....When I do a properties check
on them, they show as follows...."p://clicks.totemash.com/s=42810&p=21&pp=1". Am I right in assuming that the "p:"
is a hidden partition on my hard drive, and the remainder obviously points to a porn web site. |
I think you just can't see the htt part at the start. There wouldn't be 2 slashes if it was a drive, and the slash would be a backslash, not a forward-slash. Delete these shortcuts!
OK, you PC is infected. The first thing to do is physically disconnect it from the Internet. It is probably sending Spam emails out, and could be reporting passwords and other information from your computer to a remote server.
Boot the computer in to Safe Mode. Then run HijackThis and use if to fix the following entries:
 O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\Windows\system32\FastNetSrv.exe
O23 - Service: GWQP - Sysinternals - www.sysinternals.com - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe
Now, locate and delete the following files (note that you may need to show System and Hidden files to achieve this):
C:\Windows\System32\reader_s.exe
C:\Windows\system32\restorer32_a.exe
C:\Windows\TEMP\msxm192z.dll
C:\Users\Beardy\restorer32_a.exe
C:\Users\Beardy\AppData\Roaming\sdra64.exe
C:\Windows\system32\kbdnet.dll
C:\Windows\system32\FastNetSrv.exe
C:\Users\Beardy\AppData\Local\Temp\GWQP.exe
Restart the computer in Normal Mode, run HijackThis and post a new log.
Do not reconnect this computer to the Internet!
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine |
|
| Back to top |
|
|
|
|
Beardyface
Joined: 05 Nov 2009
Posts: 3
|
| Posted: Mon Nov 09, 2009 4:15 pm Post subject: |
|
|
I have done what you suggested.....Please find below the latest HijackThis report.......
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:29, on 09/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\prime95.exe
C:\Program Files\Altap Salamander 2.5\salamand.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
K:\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [installed] C:\Windows\system32\winlogon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Prime95] C:\prime95.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O13 - Gopher Prefix:
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\Windows\system32\FastNetSrv.exe (file missing)
O23 - Service: GWQP - Unknown owner - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe
--
End of file - 5200 bytes |
|
| Back to top |
|
|
SoftStag
Joined: 05 Feb 2006
Posts: 1962
Location: UK
|
| Posted: Mon Nov 09, 2009 6:30 pm Post subject: |
|
|
OK, there are still quite a few problems there.
Please boot in to Safe Mode, and run HijackThis.
Put a tick next to each of the following and select fix:
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\Windows\system32\FastNetSrv.exe (file missing)
O23 - Service: GWQP - Unknown owner - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe (file missing)
Now find and delete the following files:
C:\Windows\System32\reader_s.exe
C:\Windows\system32\regedit.exe
C:\Windows\system32\restorer32_a.exe
C:\Users\Beardy\AppData\Roaming\sdra64.exe
C:\Users\Beardy\AppData\Roaming\sdra64.exe
C:\Users\Beardy\restorer32_a.exe
C:\Windows\TEMP\msxm192z.dll
C:\Windows\TEMP\msxm192z.dll
C:\Windows\system32\kbdnet.dll
C:\Windows\system32\sdra64.exe
Now empty the recycle bin.
Now restart the computer in Safe Mode and run HijackThis again. Please post another HijackThis log.
Do not boot your computer back in to Normal mode!
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
RSS Feed 
FAQ 
Search 
Memberlist 
Usergroups
Register
Profile 
Log in to check your private messages 
Log in
