Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help me restore my computer after seeve,aurora etc


  • Please log in to reply

#1
jennita

jennita

    New Member

  • Member
  • Pip
  • 7 posts
A couple of days ago I opened an attachment in Outlook Express and as a result ended up with both seeve.exe (media tickets kept popping up and seeve) and aurora (and could have other problems I don't even know about).

I removed seeve.exe and ran adaware se and microsoft beta spyware and today have not noticed any popups.

However, there is lots that is wrong with my computer and I have no idea how to fix it so it all works again.

Here are some of the problems I am experiencing:

1. my firewall is disabled at start up
2. my nortons antivirus has been disabled and even if I uninstall and reinstall it still doesn't work (in both safe and normal modes)
3. I cannot access at all any of the AV sites - I just get the message web page unavailable so I seem to be blocked from accessing the sites, scanning my computer for viruses and downloading av s/ware
4. I am unable to use msconfig or regedit - they disappear as soon as you click enter (although I can use them in the safe mode
5. I cannot use alt ctrl del
6. I cannot use the search function - I just get a blank screen when I click search for files or folders
7. In windows expolorer when I click on some buttons/keys nothing happens
8. I cannot print my emails

THats a few of the things I can remember.

Below is my hijack this logfile (scanned in safe mode so please let me know if the one scanned in normal mode would be better).

Any help at all will be greatly appreciated. Thanks in advance

Jennita


Logfile of HijackThis v1.99.1
Scan saved at 1:16:15 PM, on 24/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [vtzuwas] c:\windows\system32\soappq.exe r
O4 - HKLM\..\Run: [Windows Configuration] wincfg32.exe
O4 - HKLM\..\RunServices: [Windows Configuration] wincfg32.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi Jennita and Welcome!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe

O4 - HKLM\..\Run: [vtzuwas] c:\windows\system32\soappq.exe r

O4 - HKLM\..\Run: [Windows Configuration] wincfg32.exe

O4 - HKLM\..\RunServices: [Windows Configuration] wincfg32.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Now Copy&Paste the Entries below into Killboxes "Full Path of File to Delete"

c:\windows\system32\soappq.exe

c:\windows\system32\wincfg32.exe

c:\windows\wincfg32.exe


As you enter each place a tick by "Delete on Reboot"

Click "Yes" to Confirm

Click "No" to Reboot

When you get to the last file

Click "Yes" to Confirm

Click "Yes" to Reboot

If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.

Restart in Normal Mode and Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with a fresh HijackThis log and the report from Panda!
  • 0

#3
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for your response.

I followed all the advice given but unfortunately, I still have the same problem as before - I can't access any of the AV s/ware sites so when I tried to click on Panda Active Scan I get the message "this page cannot be displayed".

I seem to get this every time I try to access AV websites (it's like they are blocked).

Also, when my computer restarted after I completed everything, the firewall was still disabled & I still cannot use the search function. However, I was able to access MSconfig so that was definitely an improvement.

Not sure what to do next.

btw, I wasn't sure what you meant about cutting and pasting the thee exe entires into killbox. I didn't know where to cut and paste from so I just typed them in one at a time in the kill box and then rebooted.

Thanking you for the help given so far - it is very much appreciated

Jennita
  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK,Lets give this a try

Download "The Hoster" from here
http://www.funkytoad...load/hoster.zip

Press "Restore Original Hosts" and press "OK".

Exit Program.

Download Pfind: http://www.bleepingc...files/pfind.php

UNZIP the contents to a permanent folder and Extract All Files !! Important !!
So make sure all those files remain in the same folder.
Don't use it yet!

Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.


Post the contents of C:\pfind.txt in your next reply together with a new hijackthislog.
  • 0

#5
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you CreteMonster.

I did as you suggested and here are the logfiles. By the way, my firewall is now not being disabled at start up and I have access once again to the Anti Virus s/ware sites. Thank you sooo much, that is such a big thing. Still no search function and I can't print my emails or from the web and some buttons don't seem to work when I'm on the internet.

Anyway, things are improving and I am very, very appreciative of the time and help you have given.

LOGFILE FROM PFIND

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\Nail.exe: .aspack


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Glenda\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Glenda\Application Data folder

LOGFILE HIJACKTHIS

Logfile of HijackThis v1.99.1
Scan saved at 1:01:50 PM, on 27/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: ninemsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-au\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ScriptBlocking Service (SBService) - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (file missing)
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download Nailfix from here:
http://www.noidea.us...050515010747824
Unzip it to the desktop but please do NOT run it yet.

Be in Safe Mode when you get ready to run this!

From the NailFix folder, please double-click on Nailfix.cmd.

Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Restart in Normal Mode and Scan with PFind again and post those results!

Normal Shouldnt be a problem now,let me know if it is!

Do you have the Original Windows CD available?
  • 0

#7
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
For some reason the link to that No Idea site did not work. Web page is unavailable.

Yes, I do have the original Windows disk but for some reason when I put it in my compuer I was getting a message that says it's a different version to that on my computer. Not sure if that has something to do with installing Service Pack 2.
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I see that,I think the one I am going to attach is the latest version!

Attached Files


  • 0

#9
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for that.

Here is the new pfind.txt

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Glenda\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Glenda\Application Data folder
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Any progress on the Search Function or other missing functions?

Hows the PC running now??

Please Install these for added browsing security for Internet Explorer and Firefox!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Post back and let me know how things are!!??

Edited by Cretemonster, 27 June 2005 - 06:28 PM.

  • 0

#11
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Have downloaded the extra protection s/ware (thanks for that) and went to the Microsoft site and downloaded the Panda av s/ware.

Currently running a scan and so far it has picked up that I also have the virus W32/Mytob.fb.worm (it has infected 19 files but these have now been disinfected).

Not sure if this virus would cause the problems I mentioned with search etc.

Anyway, I still can't use the search function and I don't seem to be able to print and everything I load up seems to take simply ages (computer is really slow).

And, the same thing is happening with the buttons not working in windows explorer (and I still can't print from outlook express - although at the moment, I can't seem to print at all and it could be a network problem as the printer driver is on another computer networked to mine).

Also, when I try to hit some of the buttons that don't work in internet explorer, I have seen the message java script:void(0) or javascript.pp (1,2,63).

In other instances, absolutely nothing happens or comes up when I try to click on a button or selection.
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Lets try 2 other things

Can you download this customized version of HijackThis:
http://www.geekstogo...=download&id=50

and follow the instructions here to post a both.log
http://home.planet.n...on.html#BOTHLOG

Post those Results please!

Delete the old version of PFind and Download the New from here
http://www.bleepingc...r/pfind-new.zip

Restart in Safe Mode and Run Pfind just as before and Post the log it produces!

Do you have the Original Windows CD? (Sorry cant remember if I allready asked)

If any results from the Panda Scan were produced,please Post those also!
  • 0

#13
jennita

jennita

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much for all your help.

It seems that everything is totally back to normal now including the little glitches. The java script error I was getting disappeared once I reinstalled my AV s/ware so all is working well now.

Thank you very, very much for your help :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP