Member Avatar for joannetai

I'm plain desperate!

I've been hijacked by about:blank for about a month now. I've read a lot of the different posts and have tried many of the suggestions but absolutely nothing has worked for me.

I know that there is a hidden .dll file which Reglite is supposed to reveal in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs.

However, there is no AppInit_DLLs in this location on my computer. When I do a search, I find it here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows.

When I click on the data editor, it shows this:
Type: REG_SZ
Type No.: 00000001
Size: 48
Value:SYS:Microsoft\Windows NT\CurrentVersion\Windows

What do I do from here???

I've also tried to view the hidden file using the Microsoft Recovery Console. But I can't even log in to use it because of the password. I've never used a password and when I try to assign myself one, MS still won't accept it. How do I get by this???

I just don't know what else to do. I'm really hoping someone will share some advice with me. I'm ready to chuck this computer out the window. Someone please stop/help me!!! Thanks in advance.

Here's a current HijackThis log:
-----------------------------------------

Logfile of HijackThis v1.98.2
Scan saved at 5:38:06 PM, on 11/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\appwa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\system32\qttask.exe
C:\PROGRA~1\Sony\JOGDIA~1\JogServ2.exe
C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
C:\WINDOWS\System32\wuauclt.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\msbc.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\Documents and Settings\rkl\Application Data\iptl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\?hkntfs.exe
C:\Program Files\Trend Micro\PC-cillin 2000\PNTIOMON.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Trend Micro\PC-cillin 2000\pccntupd.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rkl\Desktop\Liz\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkmbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\fkmbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\fkmbz.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\fkmbz.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\fkmbz.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50141
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {DD044C97-E237-CDA4-B4E1-F2933683BE38} - C:\WINDOWS\system32\appdo32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [WebTrapNT.exe] "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [hp Update 2100C] c:\sj644\hpupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB002" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg01ad.dll
O4 - HKLM\..\Run: [msbc.exe] C:\WINDOWS\system32\msbc.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKCU\..\Run: [Iinl] C:\Documents and Settings\rkl\Application Data\iptl.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wji] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Real-time Monitor.lnk = ?
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://c:\Recycled\1.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab

  • 3 Contributors
  • 4 Replies
  • 238 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by joannetai

Recommended Answers

All 4 Replies

Member Avatar for DMR

I've read a lot of the different posts and have tried many of the suggestions

Can you please tell us exactly what you have tried/done already? You're pretty heavily infested (with a lot more than the about:blank problem), and many of the commonly-suggested removal programs/instructions that you should have run across in different posts should have eliminated some of infections you have (HijackThis alone will not do the trick in your case).


First of all, let's do some initial and general cleanup:

A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

B) Download and run Ad Aware and SpyBot Search & Destroy .

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. Download and Install Ad-Aware SE , keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found


* Run SpyBot.

When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.).

1. Perform all of the Wizard's tasks.
2. Run the program. Once it completes, have it fix everything it finds.
3. Reboot.


C) Download and run AboutBuster.


D) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)


- Delete the following folders entirely:

C:\Program Files\Common Files\WinTools
C:\Program Files\Web_Rebates
C:\Program Files\Windows SyncroAd


- Delete the following files:

C:\WINDOWS\fkmbz.dll
C:\Documents and Settings\rkl\Application Data\iptl.exe
C:\WINDOWS\system32\?hkntfs.exe


- Empty your Recycle Bin.

- Reboot normally.


E) Run HijackThis again and post a fresh log.


With the types of infections you have, even doing all of the above will probably not get your system totally clean- there will almost cetainly be more work to do.

Member Avatar for joannetai

First of all, THANK YOU so much for responding and helping me. I really appreciate it!!

So previously, I have run the programs you listed... Adaware and Spybot. I think I've even tried CWShredder. BUT since you gave me specific instructions about Adaware, I realize I didn't have the correct settings to do a proper scan.

Also, this computer was running Trend Micro PC-cillin 2000. I attempted to upload the latest definitions but it kept crashing the program. I uninstalled and reinstalled PC-cillin 2000 twice. Then I used an online virus scan, Activescan which didn't seem to find any viruses. So after I got your response, I went to Trend Micro's site and got an updated version of PC-cillin so now this computer is running the 2005 version which cleared up a lot of stuff.

One more thing... after I ran all the programs, I couldn't find these folders to delete:
C:\Program Files\Commin Files\WinTools
C:\Program Files\Web_Rebates

I couldn't find these files to delete:
C:\Documents and Settings\rkl\Application Data\iptl.exe
C:\Windows\system32\?hkntfs.exe

Here is a current HijackThis log: (THANKS again! You rock!!)

-------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 12:43:54 AM, on 11/8/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
C:\WINDOWS\system32\qttask.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\?hkntfs.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\PowerPanel\Program\PcfMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\rkl\Desktop\Liz\About Blank\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://www.iquicksearch.net/search.htm[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://start.earthlink.net/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://www.earthlink.net/partner/more/msie/button/search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\oxspk.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxspk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\oxspk.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = [url]http://www.yahoo.com/[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF5089F1-B33A-D60F-B08A-801E89C146C5} - C:\WINDOWS\system32\syswa32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [JOGSERV2.EXE] C:\Program Files\Sony\Jog Dial Utility\JogServ2.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\system32\qttask.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] c:\program files\support.com\client\bin\tgcmd.exe /server
O4 - HKLM\..\Run: [hp Update 2100C] c:\sj644\hpupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 825] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P22 "EPSON Stylus Photo 825" /O6 "USB002" /M "Stylus Photo 825"
O4 - HKLM\..\Run: [SafeGuard Popup Blocker Updater (required)] regsvr32 /s C:\WINDOWS\System32\sfg01ad.dll
O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Wji] C:\WINDOWS\system32\?hkntfs.exe
O4 - HKCU\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: PowerPanel.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .au: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.earthlink.net
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - [url]http://www.installengine.com/engine/isetup.cab[/url]
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - [url]https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5/asinst.cab[/url]
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - [url]http://ciscdb.sel.sony.com/support/pops/mdldetect/PCInfo.CAB[/url]
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab[/url]
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - [url]http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v6.cab[/url]





[QUOTE=DMR]Can you please tell us *exactly* what you have tried/done already? You're pretty heavily infested (with a lot more than the about:blank problem), and many of the commonly-suggested removal programs/instructions that you should have run across in different posts should have eliminated some of infections you have (HijackThis alone will not do the trick in your case).


  First of all, let's do some initial and general cleanup:

  [color=Blue]A)[/color] Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates.

 [color=Blue]B)[/color] Download and run [url="http://www.lavasoftusa.com"]Ad Aware[/url] and [url="http://www.safer-networking.org/en/download/index.html"]SpyBot Search & Destroy[/url]. 

        Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

         1. **Download and Install** [url="http://majorgeeks.com/download.php?det=506"] Ad-Aware SE[/url], keeping the default options. **However, some of the settings will need to be changed before your first scan**

         2.**Close ALL windows** except Ad-Aware SE

         3. Click on the**‘world’ ** icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

         4. Once the update is finished click on the** ‘Gear’** icon (second from the left at the top of the window) to access the preferences/settings window

         1) In the **‘General’ ** window make sure the following are selected in [color=green]**green**[/color]:
         *Automatically save log-file
         *Automatically quarantine objects prior to removal
         *Safe Mode (always request confirmation)

         Under **Definitions**:
         *Prompt to udate outdated definitions - set the **number of days**


         2) Click on the** ‘Scanning’ **button on the left and select in [color=green]**green**[/color] :

         Under **Driver, Folders & Files**:
         *Scan Within Archives 

         Under **Select drives & folders to scan** - 
         *choose all hard drives

         Under **Memory & Registry**: all[color=green]** green**[/color]
         *Scan Active Processes
         *Scan Registry
         *Deep Scan Registry
         *Scan my IE favorites for banned URL’s
         *Scan my Hosts file


         3) Click on the **‘Advanced’ **button on the left and select in [color=green]** green**[/color]:

         Under **Shell Integration**:
         *Move deleted files to recycle bin

         Under **Logfile Detail Level**: (all green)
         *include addtional object information
         ***DESELECT** - include negligible objects information
         *include environment information

         Under **Alternate Data Streams**:
         *Don't log streams smaller than **0** bytes
         *Don't log ADS with the following names: **CA_INOCULATEIT**


         4) Click the** ‘Tweak’ **button and select in **[color=green]green[/color]**:

         Under the **‘Scanning Engine’:**
         *Unload recognized processes during scanning
         *Scan registry for all users instead of current user only


         Under the **‘Cleaning Engine’:**
         *Let Windows remove files in use at next reboot


         Under the **Log Files**:
         *Include basic Ad-aware SE settings in logfile
         *Include additional Ad-aware SE settings in logfile
         *Please **do not check or make green**: Include Module list in logfile


         5. Click on ‘Proceed’ to save the settings.

         6. Click ‘Start’

         *Choose:'Perform Full System Scan'
         *DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

         7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.  

         8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

         9. Save the log file when it asks and then click ‘finish’

        10. REBOOT to complete the removal of what Ad-Aware SE found


    * Run SpyBot.

 When you first run SpyBot, it will walk you through a Wizard which will perform a few critical functions (making a registry backup, getting the latest updates, etc.). 

        1. Perform all of the Wizard's tasks.
        2. Run the program. Once it completes, have it fix everything it finds.
        3. Reboot.

  C) Download and run[AboutBuster](http://www.majorgeeks.com/download4289.html)


  D) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

  - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

  - For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

     1. Local Settings\Temp
     2. Cookies
     3. History
     4. Local Settings\Temporary Internet Files\Content.IE5

     - Delete the entire content of your C:\Windows\Temp folder.

  (If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)


 - Delete the following folders entirely:

  C:\Program Files\Common Files\WinTools
  C:\Program Files\Web_Rebates
  C:\Program Files\Windows SyncroAd


 - Delete the following files:
 C:\WINDOWS\fkmbz.dll
 C:\Documents and Settings\rkl\Application Data\iptl.exe
 C:\WINDOWS\system32\?hkntfs.exe


     - Empty your Recycle Bin.

     - Reboot normally.


 E) Run HijackThis again and post a fresh log.

With the types of infections you have, even doing all of the above will probably not get your system totally clean- there will almost cetainly be more work to do.

Edited by Reverend Jim because: Fixed formatting
Member Avatar for crunchie

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post.

Post another hijackthis log at the top of your post, (makes it easier for me :)) and do not reboot your computer or delete any files until I reply.

Member Avatar for joannetai

Ok.. well I've run into another problem. When I tried to boot the system today, I got an error message saying

"Windows cannot start because the following file is missing or corrupt.
<Windows root>\system32\hal.dll. Please re-install a copy of the above file."

The computer just won't boot at all. I had a friend look at the computer earlier but I doubt he did anything. Could he have made any changes to the start up?

Argh...I take one step forward and 10 steps back. Any advice you have is appreciated.

Can you please download this file from here:

Getservice.zip

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.