Free PC Support
PC Help Forums from the Experts at Technical-Assistance.co.uk
 
Google
 
Search The Web Search This Site
 RSS FeedRSS Feed   FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Advent PC with more than 1 virus

 
Reply to topic    Free PC Support Forum Home -> Helproom
Author Message
Beardyface



Joined: 05 Nov 2009
Posts: 3

PostPosted: Thu Nov 05, 2009 4:02 pm    Post subject: Advent PC with more than 1 virus Reply with quote

Crying or Very sad I have an Advent PC running Windows Vista Home Premium which has more than 1 virus on it......I have tried various Spyware anti-virus progs to remove them, but to no avail. This PC was purchased from new but did not come with any restore/revovery discs, I have lost the original manuals.......What I would like to know is what keys to press on boot up, to enable me to do a fresh install of the operating system.

Thanks Beardyface.... Crying or Very sad
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Thu Nov 05, 2009 6:11 pm    Post subject: Reply with quote

Hi Beardyface, welcome to the forums.

I don't believe that you will be able to reload the computer without an Advent reload CD. You can buy such reload CDs from here.

Alternatively, we could try to remove the malware that is on your system. If you want to go down this route, please post a HijackThis Log.
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
Beardyface



Joined: 05 Nov 2009
Posts: 3

PostPosted: Fri Nov 06, 2009 8:30 pm    Post subject: Reply with quote

As requested please find below the HiJackthis Log file. I have appended to the bottom of the list some further information that might be useful.
==============================================================================================

HiJack log file from Beardyface....RE Advent PC with more than 1 virus



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:06:52, on 06/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\System32\restorer32_a.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\prime95.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Altap Salamander 2.5\salamand.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmplayer.exe
L:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [installed] C:\Windows\system32\winlogon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Prime95] C:\prime95.exe
O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O13 - Gopher Prefix:
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\Windows\system32\FastNetSrv.exe
O23 - Service: GWQP - Sysinternals - www.sysinternals.com - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe

--
End of file - 5287 bytes
=========================================================================


I have since noticed that 3 porn website shortcuts have appeared on my Desktop.....When I do a properties check
on them, they show as follows...."p://clicks.totemash.com/s=42810&p=21&pp=1". Am I right in assuming that the "p:"
is a hidden partition on my hard drive, and the remainder obviously points to a porn web site.



Thanks Beardy
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Sun Nov 08, 2009 2:18 pm    Post subject: Reply with quote

Beardyface wrote:
I have since noticed that 3 porn website shortcuts have appeared on my Desktop.....When I do a properties check
on them, they show as follows...."p://clicks.totemash.com/s=42810&p=21&pp=1". Am I right in assuming that the "p:"
is a hidden partition on my hard drive, and the remainder obviously points to a porn web site.

I think you just can't see the htt part at the start. There wouldn't be 2 slashes if it was a drive, and the slash would be a backslash, not a forward-slash. Delete these shortcuts!

OK, you PC is infected. The first thing to do is physically disconnect it from the Internet. It is probably sending Spam emails out, and could be reporting passwords and other information from your computer to a remote server.

Boot the computer in to Safe Mode. Then run HijackThis and use if to fix the following entries:
Arrow O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
Arrow O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
Arrow O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
Arrow O4 - HKCU\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w
Arrow O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
Arrow O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
Arrow O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
Arrow O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Arrow O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
Arrow O23 - Service: fastnetsrv Service (fastnetsrv) - Netopsystems A - C:\Windows\system32\FastNetSrv.exe
Arrow O23 - Service: GWQP - Sysinternals - www.sysinternals.com - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe

Now, locate and delete the following files (note that you may need to show System and Hidden files to achieve this):
Arrow C:\Windows\System32\reader_s.exe
Arrow C:\Windows\system32\restorer32_a.exe
Arrow C:\Windows\TEMP\msxm192z.dll
Arrow C:\Users\Beardy\restorer32_a.exe
Arrow C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow C:\Windows\system32\kbdnet.dll
Arrow C:\Windows\system32\FastNetSrv.exe
Arrow C:\Users\Beardy\AppData\Local\Temp\GWQP.exe

Restart the computer in Normal Mode, run HijackThis and post a new log.

Do not reconnect this computer to the Internet!
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
Beardyface



Joined: 05 Nov 2009
Posts: 3

PostPosted: Mon Nov 09, 2009 4:15 pm    Post subject: Reply with quote

I have done what you suggested.....Please find below the latest HijackThis report.......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08:29, on 09/11/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdra64.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\prime95.exe
C:\Program Files\Altap Salamander 2.5\salamand.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
K:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\Windows\system32\userinit.exe,C:\Windows\system32\sdra64.exe,
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [CmPCIaudio] RunDll32 CMICNFG3.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [installed] C:\Windows\system32\winlogon.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Prime95] C:\prime95.exe
O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
O13 - Gopher Prefix:
O16 - DPF: {8C2D1BF0-5364-403C-9968-E6E348C6B4FB} (VBIRDPlayer.Player) - http://www.iradiopop.com/IRD/pages/VBIRDPlayer.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\Windows\system32\FastNetSrv.exe (file missing)
O23 - Service: GWQP - Unknown owner - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe

--
End of file - 5200 bytes
Back to top
View user's profile Send private message
SoftStag



Joined: 05 Feb 2006
Posts: 2049
Location: UK

PostPosted: Mon Nov 09, 2009 6:30 pm    Post subject: Reply with quote

OK, there are still quite a few problems there.

Please boot in to Safe Mode, and run HijackThis.

Put a tick next to each of the following and select fix:
Arrow O4 - HKLM\..\Run: [reader_s] C:\Windows\System32\reader_s.exe
Arrow O4 - HKLM\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
Arrow O4 - HKLM\..\Run: [restorer32_a] C:\Windows\system32\restorer32_a.exe
Arrow O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow O4 - HKCU\..\Run: [userinit] C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow O4 - HKCU\..\Run: [restorer32_a] C:\Users\Beardy\restorer32_a.exe
Arrow O4 - HKUS\S-1-5-18\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'SYSTEM')
Arrow O4 - HKUS\.DEFAULT\..\Run: [ter8m] RUNDLL32.EXE C:\Windows\TEMP\msxm192z.dll,w (User 'Default user')
Arrow O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
Arrow O20 - AppInit_DLLs: C:\Windows\system32\kbdnet.dll
Arrow O23 - Service: fastnetsrv Service (fastnetsrv) - Unknown owner - C:\Windows\system32\FastNetSrv.exe (file missing)
Arrow O23 - Service: GWQP - Unknown owner - C:\Users\Beardy\AppData\Local\Temp\GWQP.exe (file missing)

Now find and delete the following files:
Arrow C:\Windows\System32\reader_s.exe
Arrow C:\Windows\system32\regedit.exe
Arrow C:\Windows\system32\restorer32_a.exe
Arrow C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow C:\Users\Beardy\AppData\Roaming\sdra64.exe
Arrow C:\Users\Beardy\restorer32_a.exe
Arrow C:\Windows\TEMP\msxm192z.dll
Arrow C:\Windows\TEMP\msxm192z.dll
Arrow C:\Windows\system32\kbdnet.dll
Arrow C:\Windows\system32\sdra64.exe

Now empty the recycle bin.

Now restart the computer in Safe Mode and run HijackThis again. Please post another HijackThis log.

Do not boot your computer back in to Normal mode!
_________________
"Microsoft programs are generally bug-free. If you visit the Microsoft hotline, you'll literally have to wait weeks if not months until someone calls in with a bug in one of our programs. 99.99% of calls turn out to be user mistakes. I know not a single less irrelevant reason for an update than bugfixes. The reasons for updates are to present more new features."
-- Bill Gates, on code stability, from Focus Magazine
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Reply to topic    Free PC Support Forum Home -> Helproom All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 



Powered by phpBB © 2001, 2005 phpBB Group

2005 - 2017 All Rights Reserved www.technical-assistance.co.uk
Terms and Conditions