Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Resolution Locked & No Modem


  • Please log in to reply

#1
kneigh

kneigh

    New Member

  • Member
  • Pip
  • 8 posts
I'm working on an older Dell Computer L700 CX w/Celeron processor running Windows ME that belongs to my barber. She informed me that all was well until she downloaded a program called "Error Guard", apparently from a pop-up she received. (First Mistake :tazz: )

Since that time, her monitor will only display in the lowest resolution, 640 x 480, the same as "SAFE MODE", and she can no longer connect to the internet. Plus, her system slowed down considerably, which is saying something for an old system. She uninstalled "Error Guard", but the problems persisted. She also tried to run System Restore but if failed.

After trying to correct the problems at her house, I ended up bringing the computer to my house and hooking it up to an extra monitor, mouse and keyboard I have. Same problems.

I have gone into msconfig and unchecked all but a few important Startup processes.

I have scanned her registry for "ErrorGuard", and the only references to it refer to Epson printers, which she has. I assume these to be a valid registry entries.

I have run a clean Norton Anti-Virus system scan, as well as Ad-Aware and SpyBot. The first time I ran the Malware programs, they found lots of goodies, as it was the first time they'd been run on the computer.

Since that time, SpyBot has returned a clean report, both in "Safe Mode" and "Normal Mode".

Ad-Aware reports that I have 4 files in C:\_Restore\Temp\
A00043480.0 (Initial Name GMT.exe (Gain)) Claria?
A00044610.0 (Originally Loader.exe) Second Thought?
A0008198.Cpy
A0008199.Cpy

Ad-Aware reports that I have 1 folder in C:\\temporary (and, yes, Ad-Aware shows two \\.
Second Thought folder

I went to C drive, and there is no C:\\temporary folder. I've already deleted all files in the various Temp and Temporary folders. Of course, System Restore will not run, and, she is correct, this is one slow system, even for a Celeron 700.

Also, one of the earlier times I was running Ad-Aware, what I would call "The Phony Norton Error Messages" popped up, saying that such and such had been removed, and it was now safe to run the computer. They have not reappeared. I've seen these screens on other computers I was cleaning up, and I believe they come from this ErrorGuard program.

Normally, I'm pretty good at finding problems, but this has me baffled. I'm wondering if it's a hardware failure that just happened to coincide with her installation of "Error Guard"?

I've suggested to her that she get a new computer, but she said she really just got this one paid for. She's just a casual user, doing the AOL thing, occasional Google and some pictures. She does not do her business books on the system.

Anyway, I still cannot connect with the Internet nor can I adjust resolution.

Any thoughts?? Here is the Hi-Jack report. Obviously, a pretty vanilla system!!

Logfile of HijackThis v1.99.1
Scan saved at 4:24:38 AM, on 5/29/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\TERRY HEATH\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM95\AIM.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab

Edited by kneigh, 29 May 2005 - 05:46 AM.

  • 0

Advertisements


#2
Murray S.

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Howdy:

First, disable System Restore..

Next, boot into Safe Mode.. Now, go to Control Panel>Add/Remove Programs..

Look for "Gain" and/or "Claria".. If they are there, use the option to remove them..

Now, run another Ad-Aware and SpyBot scan..

If clean, reboot into Normal Mode..

Murray
  • 0

#3
kneigh

kneigh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Murray,

Thanks for coming back!!

I went in to disable System Restore, but I'd already done that, and it's still disabled. The folder C:\_Restore is still there, but of course I can't delete it.

Booted into Safe Mode and checked Add/Delete Programs, but nothing there.

Reran Spy-Bot and Ad-Aware again.

Spy-Bot Messages:

1. Error During Check! XURON55 [Datei C:\Windows\win.ini kann nicht geoffnet werden. The process cannot access the file because it is being used by another process.] I believe this is a bug in the Spy-Bot program, but am not positive.
2. Congratulations! No immediate threats were found.

Ad-Aware Messages: Here's the log file verbatim.

Ad-Aware SE Build 1.05
Logfile Created on:Sunday, May 29, 2005 11:26:27 AM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R47 24.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Claria(TAC index:7):1 total references
Lop(TAC index:7):2 total references
MRU List(TAC index:0):6 total references
SecondThought(TAC index:4):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5-29-2005 11:26:27 AM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer


MRU List Object Recognized!
Location: : .DEFAULT\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [KERNEL32.DLL]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279185201
Threads : 4
Priority : High
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
LegalCopyright : Copyright © Microsoft Corp. 1991-2000
OriginalFilename : KERNEL32.DLL

#:2 [MSGSRV32.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294928849
Threads : 1
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
LegalCopyright : Copyright © Microsoft Corp. 1992-1998
OriginalFilename : MSGSRV32.EXE

#:3 [MPREXE.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294951093
Threads : 2
Priority : Normal
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
LegalCopyright : Copyright © Microsoft Corp. 1993-2000
OriginalFilename : MPREXE.EXE

#:4 [EXPLORER.EXE]
FilePath : C:\WINDOWS\
ProcessID : 4294959329
Threads : 6
Priority : Normal
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
ProductName : Microsoft® Windows ® 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : EXPLORER.EXE

#:5 [DDHELP.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294711769
Threads : 3
Priority : Realtime
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
ProductName : Microsoft® DirectX for Windows®
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
LegalCopyright : Copyright © Microsoft Corp. 1994-2002
OriginalFilename : DDHelp.exe

#:6 [STIMON.EXE]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294730653
Threads : 5
Priority : Normal
FileVersion : 4.90.3000.1
ProductVersion : 4.90.3000.1
ProductName : Microsoft® Windows® Millennium Operating System
CompanyName : Microsoft Corporation
FileDescription : Still Image Devices Monitor
InternalName : STIMON
LegalCopyright : Copyright © Microsoft Corp. 1981-2000
OriginalFilename : STIMON.EXE

#:7 [AD-AWARE.EXE]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE SE PERSONAL\
ProcessID : 4294769177
Threads : 2
Priority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 6



Deep scanning and examining files (c:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Claria Object Recognized!
Type : File
Data : A0004348.0
Category : Data Miner
Comment :
Object : c:\_RESTORE\TEMP\
FileVersion : 6.0.4.1
ProductVersion : 6.0.4.1
ProductName : GAIN
CompanyName : GAIN Publishing
FileDescription : GAIN Application
InternalName : GMT.exe
LegalCopyright : Copyright © 1999-2004 GAIN Publishing
OriginalFilename : GMT.exe


SecondThought Object Recognized!
Type : File
Data : A0004461.0
Category : Malware
Comment :
Object : c:\_RESTORE\TEMP\
FileVersion : 8.0.7.2
ProductVersion : 8.0.7.2
ProductName : Loader
FileDescription : Loader
InternalName : loader
LegalCopyright : Copyright © 2003
OriginalFilename : loader.exe


Lop Object Recognized!
Type : File
Data : A0008198.1
Category : Malware
Comment :
Object : c:\_RESTORE\TEMP\



Lop Object Recognized!
Type : File
Data : A0008199.1
Category : Malware
Comment :
Object : c:\_RESTORE\TEMP\



Disk Scan Result for c:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 10


Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

SecondThought Object Recognized!
Type : Folder
Category : Malware
Comment :
Object : c:\\temporary

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 11

11:38:01 AM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:11:34.310
Objects scanned:150982
Objects identified:5
Objects ignored:0
New critical objects:5


As you can see, this is the same stuff that I previously posted.
That same folder, C:\\temporary still shows up, even though I cannot find it.

Ad-Awares' final message on exiting says:
Some objects could not be removed Try closing all open browser windows prior to the removal. If this does not help, reboot and run again.

C:\_Restore\temp\
A0004348.0
A0004461.0
A0008198.1
A0008199.1

Do you want to let Ad-Aware remove them after the next reboot?

I clicked "Cancel". I've been here, done that both ways, and they still come back, and, of course, I cannot delete C:\_Restore.

Again, I appreciate you offering assistance!! :tazz:

Any other ideas?? The problem is probably so obvious, I'm missing it!!

Terry
  • 0

#4
Murray S.

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Howdy:

Update your av program and run a full system scan..

Also, go to www.antivirus.com and run their online scanner..

Based on the "german" tones, going to bet you got hit by the newest variation of an old virus!!

Murray
  • 0

#5
kneigh

kneigh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi, Murray,

Well, it looks like I'm between a rock and a hard pile!!

I purchased Norton SystemWorks 2005 and installed it. Unfortunately, because the modem will not connect, I cannot activate the software. The virus definitions with the program are from 1/18/05. I downloaded the current definitions onto my computer, then transferred them to the problem system, but it will not allow me to install them, because it says the trial period has expired.

I called Symantec to see if I could register/activate the software via phone. After talking to some foreigner w/no brains or product intelligence for 20+ minutes, I gave up on that idea. God, the person was dense. I must have told her 15 times I cound not access the internet, but her mind-set was not to hear me.

At any rate, I used all the SystemWorks functions, including Anti-Virus and One Button Checkup, etc. to no avail.

I've also tried to install other Malware products such as Spy Sweeper, but, again, they require me to register.

I've even tried to install external modems, but they will not work.

Obviously, I can't go online and run www.antivirus.com.

I'm at wits' end. Anyone have any thoughts??

Terry
  • 0

#6
Murray S.

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Go to This Forum and follow the instructions at the top..

Post the required logs in that forum and let one of the MalWare guru's have a go at it!!

Murray
  • 0

#7
kneigh

kneigh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Murray,

Will do. Many thanks!!!

Terry
  • 0

#8
Murray S.

Murray S.

    Trusted Tech

  • Member
  • PipPipPipPipPipPipPip
  • 4,513 posts
  • MVP
Good luck!! :tazz:

Murray
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP