I've got some serious about:blank issues, please help me

**saint_aubin** · 16-06-2005

Well, I've got about:blank and I got it bad. I can log onto the net but it ends right there. I'm unable to browse at all. Whenever I try to open a page or even type the url in, it either goes back to about:blank or it says something like "res:/2efg%r$78H8"
Anyway I downloaded S&D and hijack this to a floppy and used it on the infected computer, saved the log (to the floppy) and brought it back to this machine where I am posting my MAYDAY from. Please tell me what next to do. Additionally, My PC freezes and/or restarts by itself

every now and then, it is very intelligent.

Here is the log, let me know what to do next. thanks. I hope i followed the instructions clearly.

Looking forward to having a about:blank free life again soon

Logfile of HijackThis v1.99.1
Scan saved at 9:55:58 PM, on 6/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\addsl32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
C:\WINDOWS\System32\rcegig.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\hpwsnnsbc.exe
C:\WINDOWS\System32\hpwsnnsbc.exe
C:\WINDOWS\System32\rkrllv.exe
C:\WINDOWS\sysgq32.exe
C:\WINDOWS\System32\packager.exe
C:\WINDOWS\System32\tasec6.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\n?tdde.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ecsc\sete.exe
C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
A:\hijackthis2222.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {FC381A47-95AC-8A69-D7B5-D90C1513C5E7} - C:\WINDOWS\system32\javael32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
O4 - HKLM\..\Run: [dtwloxhnzkcgi] C:\WINDOWS\System32\rcegig.exe
O4 - HKLM\..\Run: [69.tmp] C:\Documents and Settings\Sharon\Local Settings\Temp\69.tmp 2 28129
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run
O4 - HKLM\..\Run: [sysgq32.exe] C:\WINDOWS\sysgq32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejng32.exe
O4 - HKLM\..\Run: [wstW32e] tasec6.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\RunServices: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKLM\..\RunServices: [Windows Media Player 3.6d] wmpa36d.exe
O4 - HKLM\..\RunServices: [msupdate] update.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Ikxvmna] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [hB26RSKme] samsrv.exe
O4 - HKCU\..\Run: [prutmct] C:\WINDOWS\System32\prutmct.exe
O4 - HKCU\..\Run: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKCU\..\Run: [LOGITECH SETPOINT Logitech Inc] KHALMNPR.exe
O4 - HKCU\..\Run: [Windows Media Player] 50cent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Oorc] C:\Program Files\ecsc\sete.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 - HKCU\..\RunServices: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - Global Startup: Anti-Spyware Blocker.lnk = C:\Program Files\Anti-Spyware Blocker\Anti-Virus.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: RaptisoftGameLoader - http://www.miniclips.com/hamsterball...gameloader.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFB3681E-34F8-4854-BDB0-41908ED21BB1}: NameServer = 208.131.176.126 200.10.152.232
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addsl32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

**HJThis** · 16-06-2005

Hello,saint_aubin & Welcome

Wow you have a big job to do here so let's try & get
as much as we can doing this first.

First make sure you can view all hidden files and folders, use this link for help.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Copy all my instructions into wordpad and save to your desktop. You can't have any open browser windows.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:
Media Access
ecsc

Please close all your internet explorer browsers > Next Click Start > go to Run > type regedit and hit enter > go to 'Edit' > Scroll Down to 'Find' > paste the following in the 'Find What' Box > 11Fßä#·ºÄÖ`I

When regedit finds your search right-click on the right panel and select delete. Keep searching until nothing is found.

Now Download the following Cleanup! About:Buster, CWshredder,Ad-aware, & Spy-Bot.

* Updating Ad-aware:
Double-Click the Desktop Icon > Click 'Check For Updates Now' > Click 'Connect'
* Updating Spybot:
Double-Click the Desktop Icon > Click Update > Drop-Down Box UniDo(Europe) > Select Pure-Elite(USA) or EON (AU) > Click 'Search for Updates' > Click 'Download Updates'

Please Copy ALL My Notes Below Into Notepad and Save the File to Your Desktop. You Need to be Offline and In Safe Mode to Remove Everything in your Log

Now rebooot into safe mode (press f8 during reboot, select safe mode) and DON'T reconnect to the net. You MUST be in safe mode to remove the About:Blank Bug on your system.

Run Hijackthis and place a check next to the following

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\mqayl.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {FC381A47-95AC-8A69-D7B5-D90C1513C5E7} - C:\WINDOWS\system32\javael32.dll

O4 - HKLM\..\Run: [dtwloxhnzkcgi] C:\WINDOWS\System32\rcegig.exe
O4 - HKLM\..\Run: [69.tmp] C:\Documents and Settings\Sharon\Local Settings\Temp\69.tmp 2 28129
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run
O4 - HKLM\..\Run: [sysgq32.exe] C:\WINDOWS\sysgq32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitejng32.exe
O4 - HKLM\..\Run: [wstW32e] tasec6.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKLM\..\RunServices: [Windows Media Player 3.6d] wmpa36d.exe
O4 - HKLM\..\RunServices: [msupdate] update.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Ikxvmna] C:\WINDOWS\System32\n?tdde.exe
O4 - HKCU\..\Run: [hB26RSKme] samsrv.exe
O4 - HKCU\..\Run: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKCU\..\Run: [Windows Media Player] 50cent.exe
O4 - HKCU\..\Run: [Oorc] C:\Program Files\ecsc\sete.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Win Drivers SSL32] hpwsnnsbc.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe

O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.ht m (file missing) (HKCU)

O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149

O16 - DPF: RaptisoftGameLoader - http://www.miniclips.com/hamsterbal...tgameloader.cab
O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/...erInstaller.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addsl32.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe

and click fix.

Remain in safe mode for the next part of the removal.

- First Run the Cleanit! Program

- Next, Unzip the About:Buster Program to your desktop > Double-Click the Folder > Double-Click About:Buster > Click 'OK' > Click 'Start' >

now the program will start to run, it will take a few minutes, once the program is complete go ahead and run the program again.

- Double-Click CWShredder and click 'Fix'

* Close CWShredder, open Ad-aware and make the following changes to the settings in Ad-aware.
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Scanning Engine:
check: "Unload recognized processes during scanning."
o Under Ad-aware 6 > Settings (Gear at the top) > Tweak > Cleaning Engine:
Check: "Let Windows remove files in use at next reboot."

Press 'Proceed'

Press 'Start'

* Select option 'Use Custom scanning options'
* Click 'Activate in-depth scan'
* Press 'Select drives\folders to scan' Select the active partition which is usually C:

Click 'Customize'

* Make sure the following are all are Checked:
o 'Scan Within Archives'
o 'Scan Active Processes'
o 'Scan Registry'
o 'Deep Scan Registry'
o 'Scan My IE Favorites For Banned URL'S
o 'Scan My Hosts File'

Click 'Proceed'

* Now press "Next" to let Ad-aware scan your drives.
* Once Ad-aware has completed its scan click 'Next' > Now Click 'Scan Summary' > Click All the Boxes with a Green Check Mark
* Now Click 'Next' and Finally Click 'OK'

Close Out Ad-aware

Open Spybot.

* Click 'Search & Destroy'
* Click 'Check for problems' (the program will now search your HDD)
* Make sure all finding are checked and click 'Fix Selected Problems'

Close SpyBot!

Now Delete the following Files.

Files:
C:\WINDOWS\system32\javael32.dll<---This File
C:\WINDOWS\System32\rcegig.exe<---This File
C:\Program Files\Media Access\<---This Folder
C:\WINDOWS\System32\rkrllv.exe<---This File
C:\WINDOWS\sysgq32.exe<---This File
C:\windows\system32\elitejng32.exe<---This File
C:\WINDOWS\System32\n?tdde.exe<---This File
C:\Program Files\ecsc\<---This Folder
C:\WINDOWS\system32\addsl32.exe<---This File
C:\WINDOWS\System32\mousehs.exe<---This File

Stell in Safe Mode do a file Search for these here if found
delete them
hpwsnnsbc.exe
tasec6.exe
micront.exe
wmpa36d.exe
samsrv.exe
50cent.exe

Reboot back into normal mode
Download the Hoster from here: http://www.funkytoad.com/download/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.

Then i want you to do this here

Once complete post a fresh Hijackthis log in your thread.

click start->settings->control panel->internet options->programs tab->RESET WEB SETTINGS

That will change everything back to defaults (M$)......

Change your homepage and search engines to whatever you wish and reset your pc.

When it boots back up, open IE and see if the page stays the way that you set it.

& this here also

Make your Internet Explorer more secure - This can be done by following these simple instructions:

1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click once on the Security tab
3. Click once on the Internet icon so it becomes highlighted.
4. Click once on the Custom Level button.
1. Change the Download signed ActiveX controls to Prompt
2. Change the Download unsigned ActiveX controls to Disable
3. Change the Initialize and script ActiveX controls not marked as safe to Disable
4. Change the Installation of desktop items to Prompt
5. Change the Launching programs and files in an IFRAME to Prompt
6. Change the Navigate sub-frames across different domains to Prompt
7. When all these settings have been made, click on the OK button.
8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
5. Next press the Apply button and then the OK to exit the Internet Properties page.

after that do this here

Go for free online Virus scans here:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan/

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

Then tell us how it is doing & post a new logfile

HGD

**saint_aubin** · 17-06-2005

wow, I've really got lots of work to do. I'll get right on it and get back to you ASAP. About:blank geez, what a paiiiiin.

**HJThis** · 17-06-2005

Hi,saint_aubin

No problem take your time someone is always here to help
& yes you have no idea i see this thing in my Sleep that's
when i get some.

HGD

**saint_aubin** · 19-06-2005

Ok then now this is really tickingme off. Simple instructions yet so hard to follow.
I try to uninstall the files as you instructed.
No problem getting rid of media access however uninstalling 'ecsc' is a great problem.

First,its not in the list of programs in the add/remove options in control panel. I searched around and found it in the programs file on the C: So then I try to just delete it form there, wont happen. try changing the name and then deleting it, wont happen. I try putting it in MSN messenger folder then uninstall messenger from add/remove, Messenger uninstalled but it left the 'ecsc' file behind. In all these scenarios/instances I constantly get an error message saying CANNOT DELETE FILE SETE.EXE:ACCESS DENIED. MAKE SURE THE DISK IS NOT FULL AND THE FILE IS NOT WRITE PROTECTED OR CURRENTLY INUSE.... and, as you instructed all files were closed, only the wordpad was opened showing the instructions

Additionally, I try to bring up regedit as you instructed but it doesnt open, it just flashes (open and close by itself in the wink of an eye) or it just doesnt open at all.

What do I do now? Computer seems to be very intelligent and is constantly outsmarting me......hahahaha ISo as I asked before, what do I do now? Definately looking forward to your response.

**HJThis** · 19-06-2005

Hi,saint_aubin

No problem this will happen just go on with what you can
fix with HijackThis & delete the files you can we can always
go back to delete the files that stay on the PC

so please go on & do as much as you can use HijackThis
let it do it's thing.

HGD

**saint_aubin** · 22-06-2005

Hey, am here again. NOw i completed that horrible task. My homepage is back now so I must say THANK YOU ALOT. However my woes arent fully gone.

As it is now I am able to browse the net and keep my homepage. I did the H-this and post the log below as you ordered.
I have 3 issues to deal with now that I need your much appreciated help.
1) I installed notron 2002 and everytime I startup I keep getting an error message saying unable to properly view page(s) because of some ActiveX setting or the other, somehting like that. I cant startup norton to get it to do a manual scan or anything, why is that? It just freezes adn I have to close it out.

2) Norton keeps giving me a pop-up saying that I have a virus called mousehs.exe on my machine in c:\windows\system32 folder. I remember its one of the files I was to delete, which I did. However when I check the location its not there (and its not hidden either)

3) Finally the computer keeps rebooting every now and then and i keep getting an error message saying that I have registry problems and should fix it now before the computer crashes, with an offer to click on some website, which in turn tries to sell me regcleaner or regristrypro or something like that. Are those error messages valid, or is it just a pop up sales ad.

How can I get around this...and yes...i knwo what you;re thinking and I agree...this computer is really sick...pneumonia....lol I definately need some help, thats why I'm here, counting on you. thanks again and her eis the logfile.

anyway here is my log initally after finishing the procedures you set out. Dont knwo if anythign has changed between then and trying to logon the net and do the scan at the websites you told me to. (and maybe loggin on yahoo and hotmail and norton update)

Logfile of HijackThis v1.99.1
Scan saved at 6:59:34 PM, on 6/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\NORTON~1\Navapw32.exe
C:\WINDOWS\System32\rkrllv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\Notepad.exe
C:\WINDOWS\system32\1.tmp
C:\Documents and Settings\Sharon\My Documents\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\Navapw32.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [prutmct] C:\WINDOWS\System32\prutmct.exe
O4 - HKCU\..\Run: [LOGITECH SETPOINT Logitech Inc] KHALMNPR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

**HJThis** · 22-06-2005

Hi,saint_aubin

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
rkrllv.exe
mousehs.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.

Mouse Hardware Sync (mousehs)

Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.

Right click on this link http://www.greyknight17.com/spy/DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards.

===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

4. Click "Fix ->"

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\1.tmp
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

O23 - Service: Mouse Hardware Sync (mousehs) - Unknown owner - C:\WINDOWS\System32\mousehs.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\System32\rkrllv.exe<---This file
C:\WINDOWS\system32\1.tmp<---This file
C:\WINDOWS\System32\mousehs.exe<---This file

Then reboot tell us how it is & show new logfile.

HGD

**saint_aubin** · 25-06-2005

Hey Hey Hey, its me again with a smile on my face. My homepage is still here. Isnt that something, thanks alot guys, What'd I do without you.

well just trying to fine tune things now and ofcourse you're my guide. I performed my last set of instructions and my logfile is posted below. Sorry for taking so long, the days are so short and man they're busy at work.

My problem I'm having now is that i still am getting a few pop up's saying registry in a bad state and giving me an option to download(buy) a registry cleaner form whichever site did the pop up. Also, my norton still seems abit funny. It is still giving me mouseh.exe virus alert and also a virus alert saying spybot......cant remwmber the full think but I know the word spybot was in it. (isnt spybot a cleaner I used earlier?)

I know the files I deleted are in the recycle bin, am not sure if thats where norton picking it up from so I made sure to empty the bin but it still popped up atleast once after that. I searched my system for mouseh.exe and nothing came up. I went to run>services.msc and checked for the mouse hardware as you told me earlier and it is still showing "DISABLED" as you instructed me to do it, so I dont know why these virus alerts are coming up.

one thing I notice when I got to services.smc and also whenever I boot up and Norton is starting, I get an error (in both cases) saying YOUR CURRENT SECURITY SETTINGS PHROBIT RUNNING ACTIVEX CONTROLS ON THIS PAGE, AS A RESULT THE PAGE MAY NOT DISPLAY. Whats that all about? in the canse of Norton, it is inacessable after that message comes up(inaccessable as when a program freezes) you can only close it then.

As far as the speed and the freezing, so far it seems to be ok. only the problem I stated above.

Thanks alot for your time again and keep up the good work. hey tell me this, where did you guys gain all this knowledge? I wana learn more, wana be like you guys...ALWAYS ON THE BALL!!!!!!!! keep up the good work.

anyway here is my logfile, aight thanks again
Logfile of HijackThis v1.99.1
Scan saved at 8:37:11 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\dkdu.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Sharon\My Documents\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 3.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [prutmct] C:\WINDOWS\System32\prutmct.exe
O4 - HKCU\..\Run: [LOGITECH SETPOINT Logitech Inc] KHALMNPR.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFB3681E-34F8-4854-BDB0-41908ED21BB1}: NameServer = 208.131.176.126 200.10.152.232
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

**HJThis** · 25-06-2005

Hi,saint_aubin

Press control-alt-delete to get into the task manager and end the follow processes if they exist:
rkrllv.exe
prutmct.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rkrllv.exe reg_run
O4 - HKCU\..\Run: [prutmct] C:\WINDOWS\System32\prutmct.exe

Make sure you can view hidden and system files: Instructions here

Then Boot to safe mode: Instructions here

Delete the following files\folders IF still present:
C:\WINDOWS\System32\rkrllv.exe<---This file
C:\WINDOWS\System32\prutmct.exe<---This file

Then do a reboot see how it is

now for the error you are geting for Norton check
the settings i had you do above you may have to
cut back some.

HGD

I've got some serious about:blank issues, please help me

I've got some serious about:blank issues, please help me

Similar Threads

Can u check my computer for virus issues or any security issues (7)

[Closed] can u check my computer for virus issues or any security issues

about.blank and other issues: hijack log included

about:blank and other issues

Hijack This log for About:Blank issues on Win98 (Resolved)