Another HJT log or two!!!

[Rik]

Hi Howard, i have been using a friend of a friends pc as a guniea pig for my attempt at learning more about HJT!!!!

HJT log 1 is from when i first got the pc and HJT log 2 is after me having a go at it!!!!

 

[wolfram]

Hi Rik,

I'm starting to learn about HJT logs. Howard will correct me if I'm wrong hehe

C:\WINDOWS\System32\MsPMSPSv.exe
Some people recommend to disable this service. It's used by Media player. I'm sure you can disable it in msconfig, startup tab, or services tab.
Some guys claim that it's a form of spyware, some say it's harmless.
But you should disable it, it's not essential.

Since I'm too dumb for this yet, I'd recommend to listen to Howard's advice

Regards :wave:

 

[Rik]

Thanx for the advice Wolfram, i too am learning as i said in my first post!!!!
I'm hoping i can fix this pc before it goes up in smoke!! hehe!!
It's an emachine, like ewww, its horrible and will probably die from the crappy psu in it!!!!

Q - Whats the best thing about an emachine?
A - The moment you give it back to the poor mug that actually parted with cash for that pile of s**t!!!!!!

 

[howard_hopkinso]

That is one of the most badly infected systems I`ve seen for quite some time. No antivirus or firewall software and you can see why it`s so bad and that`s only what I can see. With a renamed HJT log I shudder to think what`s there.

Based on the first HJT log, I`d recommend reformatting and starting from scratch.

I can`t comment on the second HJT log as I don`t know how things have been fixed.

BTW: The MsPMSPSv.exe file is not nasty and is part of the Windows media player.

Regards Howard

 

[Rik]

I got rid of norton first off, then scanned with some crap that was on it and was out of date for a laugh, it found nothing!!! I then installed etrust antispyware and it found 54 infections!!! I then used HJT to remove some more crap from it and its not perfect yet, but it is running a hell of a lot faster and has no boot errors or popups of any kind!! It only comes up with 2 error boxes when it shuts down but they flash up that quickly that i don't get a chance to see what they say!!!!

 

[wolfram]

Hmm, like Howard said, a full format would be better. Then prevent future infections, using AVG Free, and Zonealarm's free firewall, also, some antispyware and antitrojan tools.

But like you said, it an E-machines, who cares about it

 

[howard_hopkinso]

That`s the problem right there. Simply fixing something with HJT doesnt actually get rid of it. Depending what it is, It needs to be physically removed from the system.

That`s why I couldn`t comment on HJT 2.

For instance, all these are bad and need uninstalling/deleting

C:\Program Files\PowerCodec\isamonitor.exe
C:\Program Files\PowerCodec\pmsngr.exe
C:\Program Files\PowerCodec\pmmon.exe
C:\Program Files\PowerCodec\isamini.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe
C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe
C:\Program Files\DriveCleaner 2006 Free\UDC6cw.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILEOi+Vh7AfA98Gm4Me69ZMbubcDXggyks41LS9Xy wuwN/oqwTWhUdpG91HQWAAMtZMekQFTZfgnDQLpiPgLT87KDT1yeDkU4yiJ+PgdxY7FcIzupUMLFRTgq Q/WLW4fupSo/yK+j2DpzMXppVfOibUJ4tVdOIj8Psh9P8p7/wtcYztRfo5gFkOsPWoh

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware343\bin\Starware343.dll

O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

O2 - BHO: (no name) - {7b4d79df-9ef0-429d-a0e9-d9b138c6a53b} - C:\Program Files\PowerCodec\isaddon.dll

O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll<Fix only

O3 - Toolbar: Protection Bar - {8aed5df3-6e0b-4930-b1a5-f8aa8d757497} - C:\Program Files\PowerCodec\iesplugin.dll

O3 - Toolbar: Starware343 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware343\bin\Starware343.dll

O4 - HKLM\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe

O4 - HKLM\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe

O4 - HKLM\..\Run: [OSS] C:\WINDOWS\system32\ossproxy.exe -boot

O4 - HKLM\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\Run: [DriveCleaner 2006 Free] "C:\Program Files\DriveCleaner 2006 Free\UDC2006.exe" /min

O4 - HKLM\..\Run: [SDR6_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcsdr.exe"

O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner 2006 Free\udcpas.exe"

O4 - HKLM\..\Run: [UDC6cw] "C:\Program Files\DriveCleaner 2006 Free\UDC6cw.exe" -c

O4 - HKLM\..\Run: [NI.UWAS6_0001_N91M1508] "c:\documents and settings\alan reid\application data\winantispyware2006freeinstall[2].exe" -nag

O4 - HKLM\..\RunServices: [Microsoft Update] snlogsvc.exe

O4 - HKLM\..\RunServices: [msnsched] msnsched.exe

O4 - HKCU\..\Run: [win_upd2.exe] C:\WINDOWS\System32\WINdirect.exe

O4 - HKCU\..\Run: [Microsoft Update] snlogsvc.exe

O4 - HKCU\..\Run: [wpds.exe] C:\WINDOWS\System32\doriot.exe

O10 - Hijacked Internet access by New.Net<Do not fix with HJT. Newnet needs to be uninstall, or if that`s not possible the newnet downloadable uninstaller programme should be used.

O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flash.ladbrokescasino.com/ladbrokes/FlashAX.cab

O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab

O21 - SSODL: gaonic - {f31aee4a-1530-4fef-8537-79c6973bff9a} - C:\WINDOWS\system32\tazth.dll

The above are all the entries that need to be got rid of. All the programmes should be uninstalled. Anything that`s run as a service needs to have it`s services stopped. All the .exe files must be stopped from running via task manager. All the files must be deleted apart from the one I said fix only.

The last entry will probably need Killbox to get rid of it.

Now do your see what I mean?

Regards Howard