Welcome, Guest. Please Login or Register.
Search
Members
Login
Register
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Computer Help Needed Please !		 « Previous topic | Next topic »
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Computer Help Needed Please !  (Read 2716 times)
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Computer Help Needed Please !
« on: Feb 1st, 2009, 2:00am »		 Quote Quote  Modify Modify
Hi All,
 
A day ago i did a superspy scan and it found 7 adaware tracking cookies and 2 vundo items. I deleted these as per instructions.
After this i rebooted pc in safe mode and performed a scandisk that although took a while to get going after numerous stops & starts, it finally scanned the pc without finding any problems.
 
It was after this was complete that i started to have issues.
I tried to reboot and it went straight into safe mode.
 
Again i tried & found it offered 3 options normal, safe or logged (i think)..have tried in normal and it only comes on with a 16bit colour rate.  
Have tried to return it to 256bit colours to have this come onscreen.
EGCOmservice_1048.dll
We have since downloaded a program named RegCure that we cant open anyway as the screen size won't allow access to the start button on 16 colour setup.
 
Hope this makes some sort of sense..
Thanks
 
Mashy
IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #1 on: Feb 1st, 2009, 3:03am »		 Quote Quote  Modify Modify
Have you attempted to do a System Restore from a restore point that is just before you did the superspy scan?  Something has been removed, either because it was infected or falsely, that has your system screwed up.  If you can restore the system back before the scan, then we can go from there to get you cleaned up.  
 
What Windows operating system are you using?  And do you have a CD for re-installing your Windows OS?
 
And can you post here the log from the SuperAntispyware scan?
« Last Edit: Feb 1st, 2009, 3:12am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #2 on: Feb 1st, 2009, 3:14am »		 Quote Quote  Modify Modify
Hi Tom,
Thanks for your quick reply.
It's a Windows Me Millenium Edition.
i have the quick start guide with cd that i assume is the starter kit setup ?
i had done a HighJack This prior to the scandisk.
I removed an item that said  
"URL SEARCHHOOK MISSING"
i didn't do any system restore
 
Here is a High Jack This log i just did..
I didn't save the original one when prior to scandisk.
Logfile of HijackThis v1.99.1
Scan saved at 08:17:20, on 01/02/2009
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://au.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.htm l
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bom.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://w ww.yahoo.com/ext/search/search.html
R3 - Default URLSearchHook is missing
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\SYSTEM\NAVSHEXT1.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESAU.DLL (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESAU.DLL (file missing)
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15db451ed965bac34f01/netzip/RdxIE601_fr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInit ialSetup1.0.0.8.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreql ab3.cab
 
 
  
« Last Edit: Feb 1st, 2009, 3:17am by mashy » IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #3 on: Feb 1st, 2009, 3:28am »		 Quote Quote  Modify Modify
Please do this.
 
1.  Run another HJT scan.  When the scan is completed, place a check mark in the box next to the following items.  BE SURE that these are only items checked.
 
O2 - BHO: System Process - {C2EEB4FA-B6D6-41b9-9CFA-ABA87F862BCB} - C:\WINDOWS\SYSTEM\NAVSHEXT1.DLL (file missing)
 
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMSERVICE_1048.dll,InstantAccess
 
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESAU.DLL (file missing)
 
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\COMMON\YHEXBMESAU.DLL (file missing)
 
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInit ialSetup1.0.0.8.cab
 
2.  Close your browser
 
3.  Click on Fix Checked which is located at the lower left of the HJT window.  Confirm that you want HJT to fix these items and let it fix them.
 
4.  Close HJT and immediately reboot.
 
5.  Post back here a new HJT log.  
 
6.  Also post the Superantispyware log that started this whole issue.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #4 on: Feb 1st, 2009, 3:54am »		 Quote Quote  Modify Modify
In addition to my post above:
 
It would appear that something has happened to your video graphics driver and this is causing the 16/256 color problem.
 
What is the brand and model of your computer?
 
What is the brand and model of your video graphics card?
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #5 on: Feb 1st, 2009, 6:38am »		 Quote Quote  Modify Modify
Ok, i have since downloaded version 2 of High Jack This.
Is this wise ?
regarding model..i can tell you its a Pentium III.
Running Windows 98 Millenium Edition.
Sound card size/model, i am unsure of.
Do i physically remove this from back of hard drive ?
Here's the latest scan
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:39:06, on 01/02/2009
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Here's the log of SuperAntiSpy from a couple of days back with the initial culprits.
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
 
Generated 01/31/2009 at 10:02 AM
 
Application Version : 4.25.1012
 
Core Rules Database Version : 3737
Trace Rules Database Version: 1706
 
Scan type  : Complete Scan
Total Scan Time : 00:59:59
 
Memory items scanned : 173
Memory threats detected   : 0
Registry items scanned    : 2850
Registry threats detected : 0
File items scanned   : 5952
File threats detected     : 10
 
Adware.Tracking Cookie
 C:\WINDOWS\Cookies\mcn0001@mediaonenetwork[1].txt
 C:\WINDOWS\Cookies\mcn0001@statcounter[1].txt
 C:\WINDOWS\Cookies\mcn0001@cgi-bin[1].txt
 C:\WINDOWS\Cookies\mcn0001@atdmt[2].txt
 C:\WINDOWS\Cookies\mcn0001@serving-sys[2].txt
 C:\WINDOWS\Cookies\mcn0001@bs.serving-sys[2].txt
 C:\WINDOWS\Cookies\mcn0001@doubleclick[2].txt
 
Adware.Vundo/Variant
 C:\WINDOWS\SYSTEM\NVARCH16.DLL
 C:\WINDOWS\SYSTEM\CNCIO155.DLL
 C:\CANONMP\MP730700\WIN98ME\PRINT\CNCIO155.DLL
 
Boot mode: Normal
 
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://au.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.htm l
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bom.gov.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://w ww.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')
O4 - .DEFAULT Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User 'Default user')
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15db451ed965bac34f01/netzip/RdxIE601_fr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreql ab3.cab
 
--
End of file - 5352 bytes
« Last Edit: Feb 1st, 2009, 6:42am by mashy » IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #6 on: Feb 1st, 2009, 6:56am »		 Quote Quote  Modify Modify
Using the latest HJT 2.0.2 is Windows ME compatible, so it's okay.
 
Your latest HJT log is not showing anything malicious.  Are you still getting the message about EGCOMSERVICE_1048.dll?
 
Is your computer a Dell, or Compact, or Hewlett Packard, or what.  And what is the model of it?
 
To find out what your video graphics card is,  
 
-  Open the Control Panel
-  Select "System" and open it
-  Click on Device Manager tab.  This will give you a list of hardware items concerning your computer.
-  Locate the item named Display Adapter and click on the + sign next to it.  This will expand the Display Adapter.
-  Copy down exactly what it says the name of the graphics card is.  I suspect that it is nVidia something or other.
 
Post back here the information for the graphics card.  
 
Also you still have not posted the scan log for SuperAntiSpyware...please do so.  I want to see what it quarantined.
« Last Edit: Feb 1st, 2009, 7:05am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #7 on: Feb 1st, 2009, 7:18am »		 Quote Quote  Modify Modify
The sound card is NVIDIA RIVA TNT 2 MODEL 64.
i can tell you that the pc has Intel Pentium III on the hard drive box and also comes up on screen when booting up.
The hard drive box and keyboard both a diamond label on it.
 
As i rebooted just before i found it still wants to go into safe mode, and shows a box with " The Driver That Displays Items Correctly On Your Screen Isnt Working Properly"
 
Here is a log of the superantispy i did the other day with the initial findings
Here's the log of SuperAntiSpy from a couple of days back with the initial culprits.  
SUPERAntiSpyware Scan Log  
http://www.superantispyware.com  
 
Generated 01/31/2009 at 10:02 AM  
 
Application Version : 4.25.1012  
 
Core Rules Database Version : 3737  
Trace Rules Database Version: 1706  
 
Scan type  : Complete Scan  
Total Scan Time : 00:59:59  
 
Memory items scanned : 173  
Memory threats detected   : 0  
Registry items scanned    : 2850  
Registry threats detected : 0  
File items scanned   : 5952  
File threats detected     : 10  
 
Adware.Tracking Cookie  
 C:\WINDOWS\Cookies\mcn0001@mediaonenetwork[1].txt  
 C:\WINDOWS\Cookies\mcn0001@statcounter[1].txt  
 C:\WINDOWS\Cookies\mcn0001@cgi-bin[1].txt  
 C:\WINDOWS\Cookies\mcn0001@atdmt[2].txt  
 C:\WINDOWS\Cookies\mcn0001@serving-sys[2].txt  
 C:\WINDOWS\Cookies\mcn0001@bs.serving-sys[2].txt  
 C:\WINDOWS\Cookies\mcn0001@doubleclick[2].txt  
 
Adware.Vundo/Variant  
 C:\WINDOWS\SYSTEM\NVARCH16.DLL  
 C:\WINDOWS\SYSTEM\CNCIO155.DLL  
 C:\CANONMP\MP730700\WIN98ME\PRINT\CNCIO155.DLL  
 
Boot mode: Normal  
 
Running processes:  
C:\WINDOWS\SYSTEM\KERNEL32.DLL  
C:\WINDOWS\SYSTEM\MSGSRV32.EXE  
C:\WINDOWS\SYSTEM\mmtask.tsk  
C:\WINDOWS\SYSTEM\MPREXE.EXE  
C:\WINDOWS\SYSTEM\STIMON.EXE  
C:\WINDOWS\SYSTEM\MSTASK.EXE  
C:\WINDOWS\SYSTEM\SSDPSRV.EXE  
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE  
C:\WINDOWS\EXPLORER.EXE  
C:\WINDOWS\TASKMON.EXE  
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE  
C:\WINDOWS\SYSTEM\SYSTRAY.EXE  
C:\WINDOWS\LOADQM.EXE  
C:\WINDOWS\RunDLL.exe  
C:\WINDOWS\SYSTEM\DDHELP.EXE  
C:\WINDOWS\SYSTEM\WMIEXE.EXE  
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE  
C:\WINDOWS\SYSTEM\PSTORES.EXE  
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE  
C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE  
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE  
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE  
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://au.rd.yahoo.com/slv/ycheck/as/*http://www.yahoo.com/search/ie.htm l  
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bom.gov.au/  
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://w ww.yahoo.com/ext/search/search.html  
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm  
R3 - Default URLSearchHook is missing  
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX  
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe  
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe  
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE  
O4 - HKLM\..\Run: [LoadQM] loadqm.exe  
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme  
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe  
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s  
O4 - HKLM\..\Run: [NewsUpd] C:\Program Files\Creative\News\NewsUpd.EXE /q  
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE  
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme  
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe  
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe  
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe  
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE  
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY  
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet  
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE  
O4 - HKUS\.DEFAULT\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY (User 'Default user')  
O4 - HKUS\.DEFAULT\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet (User 'Default user')  
O4 - HKUS\.DEFAULT\..\Run: [SUPERAntiSpyware] C:\PROGRAM FILES\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE (User 'Default user')  
O4 - .DEFAULT Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE (User 'Default user')  
O4 - .DEFAULT Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE (User 'Default user')  
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE  
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE  
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm  
O12 - Plugin for .qt: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll  
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab  
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab  
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/15db451ed965bac34f01/netzip/RdxIE601_fr.cab  
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab  
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab  
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab  
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab  
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab  
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab  
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab  
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll  
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreql ab3.cab  
 
--  
End of file - 5352 bytes  
 
 
« Last Edit: Feb 1st, 2009, 7:25am by mashy » IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #8 on: Feb 1st, 2009, 7:33am »		 Quote Quote  Modify Modify
Thanks for the SuperAntispyware log.  As I suspected, it has falsely quarantined/deleted two drivers from your system....one for the nVidia card and one for your printer (in two locations).
 
 C:\WINDOWS\SYSTEM\NVARCH16.DLL  
 C:\WINDOWS\SYSTEM\CNCIO155.DLL  
 C:\CANONMP\MP730700\WIN98ME\PRINT\CNCIO155.DLL  
 
Please try this:
 
1.  Boot your computer into SAFE MODE
 
2.  Open SuperAntispyware and click on Manage Quarantine.
 
3.  Once the Quarantine window opens, locate the three quaratined items that corresponds to the items below.
 
 C:\WINDOWS\SYSTEM\NVARCH16.DLL  
 C:\WINDOWS\SYSTEM\CNCIO155.DLL  
 C:\CANONMP\MP730700\WIN98ME\PRINT\CNCIO155.DLL  
 
Select them one at a time and click on RESTORE.  
 
4.  After they are restored, close Superantispyware and reboot back into Normal mode.  
 
Please tell me the results of how your computer acts now that these two drivers have been re-installed.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #9 on: Feb 1st, 2009, 7:47am »		 Quote Quote  Modify Modify
I have written down the above files and rebooted in safe mode.
Opened up superantispy and when i open the manage quarantine tab it wont open up from there, the two tabs to the right side of box are not highlighted ?
So i can't get to what you wanted me to change,
Hope this makes sense.
« Last Edit: Feb 1st, 2009, 7:48am by mashy » IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #10 on: Feb 1st, 2009, 7:49am »		 Quote Quote  Modify Modify
Okay, reboot your system back into normal mode and try the Restore option in Superantispyware.  Can you restore?
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #11 on: Feb 1st, 2009, 8:05am »		 Quote Quote  Modify Modify
Im in normal mode at the moment.W
when i open up super anti spy..and go to the manage quarantine tab, the restore & remove tabs are not highlighted.
IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #12 on: Feb 1st, 2009, 8:08am »		 Quote Quote  Modify Modify
You have to first select the quarantined item.  Then the Restore button should become active.
IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
mashy
Junior Member
**





   


Gender: male
 Posts: 51
Re: Computer Help Needed Please !
« Reply #13 on: Feb 1st, 2009, 8:11am »		 Quote Quote  Modify Modify
I clisk on the 'quarantine items by date icon'...the restore/remove tabs still do not work.
IP Logged
If i could fix my P.C as well as i can catch Fish,
I'd be set !!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 7357
Re: Computer Help Needed Please !
« Reply #14 on: Feb 1st, 2009, 8:15am »		 Quote Quote  Modify Modify
Isn't there a list of quarantined items under "Quarantined items by date"?  
 
Or if there is a + sign in front of Quarantined items by date, click on the + sign to expand.
« Last Edit: Feb 1st, 2009, 8:16am by siliconman01 » IP Logged
______
TrojanHunter V5.5.1002...No. 1 AT in my Book and on my Box(es)! Windows 7 x64 Professional on a Dell XPS 410, 8 gbyte RAM, dual WD VelociRaptors, dual 24" UltraSharp FPD monitors, Logitech 5.1 Surround Sound; Windows 7 x86 Professional on a Dell Vostro 220s, 4 gbyte RAM, dual WD VelociRaptors. Common: router, cable modem.
Pages: 1 2 3  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »