Member Panel

spellbyte

I am trying to fix a friends laptop and have completed all the prework.

I am attaching the ewido logs and HJT logs. can someone check them through and see if there is anything left on there,

the laptop is a Packard Bell Easynote W3301 and as usual there is a load of unnecessary software loaded up onto the system, so could someone also point out which is safe to remove and which should be kept on there for the system to function properly?

spellbyte

my mistake, sorry guys i forgot to post the all important logs

spellbyte

has anyone had a chance to look at those logs yet

joe5

Nope , not untill now.

Unless he uses the Powercinema and Cyberlink software then these can be fixed with hjt , if he does use those then remove them from the list:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe

Use start/run/services.msc to disable the 023 entry's:

Click Start>Run and type in: services.msc
Click OK
In the Services window find: The Service Name of the 023's
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK

And do you/he know what these are?

O4 - HKLM\..\Run: [RMC] C:\WINDOWS\system32\drivers\RMC.exe
O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /install

If not then upload them to this site and report back the scan results please:

http://www.virustotal.com/en/indexf.html

spellbyte

I haven't got a clue what those last ones are and i'm pretty sure that she doesn't. the laptop has been used to look at risky sites so she says so it could be anything. i'll ask her to bring it back round so i can do the nessecary removals

thanks for the reply joe,

who knows this could be my last post on here from the UK

joe5

Im pretty sure the ms1src.exe is some sort of malware , im not sure about the RMC.exe one. Lets see what the online scan results at that site will be.

PS , how come the last post from the UK? Are you moving?

Member Panel

Sponsors and Ads

Live Tag Cloud