1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Software to remove About Blank other than HJT?

Discussion in 'Virus & Other Malware Removal' started by geezerview, Feb 13, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    About Blank has hijacked my Internet Explorer function, so I'm now using Firefox. Everyone recommends using HiJack This to remove About Blank but it looks quite technical to me.
    Is there any simpler software that would get rid of this spyware? I tried using Spyware Nuker, which claimed it could remove it - but it didn't work. Can anyone recommend anything else?
    I'm also getting error messages such as Spool32 has caused an error in <unknown> and similar message for Rundl - so my printer doesn't work.
    I've also been inundated with Spyware popups.
    I'm using Windows Me.
    Any and all suggestions welcome!
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Posting the Hijackthis log is reccommended- there are several types of About:blank hijacks, and different tools are used with expert help, they are not automated and there are some other steps you must do or the hijack will return. CWShredder may tell you it was removed, however it will return- the ONLY way to get rid of some variants is with the use of Hijackthis and the special tools, which we advise you use with someone's help. Make sure, you have the newest version of hijackthis> 1.99. Post the log here as a reply in your thread, here is a good link to get 1.99

    www.radiosplace.com

    Make sure you do create a new folder>rename it to something you like such as HJT, and download hijackthis.exe TO the folder you made...otherwise we will keep on posting for you to do this. It is important you make a separate folder to hold the program.
     
  3. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Do not attempt to remove anything with HijackThis yourself!!
    Post your log as instructed and someone will advise you further.

    ;)
     
  4. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    OK, here's the HJT log & just to give some more info on the problems I've had, one of the spyware remover programs I used found three items identified as:
    CWS About Blank
    CWS NS3 Hijacker
    Trojan Horse - Spooner A
    I hope this all helps, and again, thanks for any help you can provide.
    Also, since I last posted here, I installed McAfee Virusscan, then uninstalled it after advice from a few people who said it would be better if it wasn't there.
    Here's the log:

    Logfile of HijackThis v1.99.0
    Scan saved at 12:49:35 AM, on 2/15/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\DESK98.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TELUS ECARE\SMARTBRIDGE\MOTIVESB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\CHECKIT NETOPTIMIZER\CKMONITR.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\TEMP\MDPL.DAT
    C:\MY DOCUMENTS\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TELUS Internet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - (no file)
    O2 - BHO: (no name) - {BA7F7BBC-DFAD-4327-B285-48F12D5745AB} - C:\WINDOWS\SYSTEM\JJLB.DLL
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\REGISTRY CLEANER\REGCLEAN.EXE"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: QUICKEN STARTUP.LNK = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Startup: BILLMINDER.LNK = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Startup: CHECKIT INTERNET MONITOR.LNK = C:\Program Files\CheckIt NetOptimizer\CKMonitr.exe
    O4 - Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
    O4 - Startup: ENCODER AGENT.LNK = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O4 - Startup: POWERREG SCHEDULER.EXE
    O9 - Extra button: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
    O9 - Extra button: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, you do have several problems....

    First, download this to have handy in case your Internet connection is affected> it's common to have happen, so be prepared:

    http://www.majorgeeks.com/download4372.html

    Just download it to have handy, the desktop is fine for that.
    ___________________________
    Add/Remove Programs, uninstall:

    SpywareBegone- anything

    PowerRegScheculer-anything

    Also in Add/Remove Programs, see if New.Net or NewDotNet Domains or similar is listed, and uninstall it.

    Next> if no entry for New.Net, do this:

    Go to the site below, and follow Procedure #4 to run their uninstaller.

    http://www.newdotnet.com/removal.html

    Let me know if you cannot download that uninstaller.
    Your security settings may not allow it...but there are other ways to do it.

    post a new log from HJT when you are ready.
     
  6. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    Before I do any of the above, I would like to be able to print but I still can't do that.
    Is there anything I can quickly do to get my printer working? I tried uninstalling all of the Epson software and reinstalling it from my Epson CD. I got one print and then started getting the same messages "Spool32 has caused an error in <unknown>" and ditto for Rundl and then, of course, no printouts.
    Can you help?
     
  7. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Wish I could but if reinstalling did not help, more than likely some malware is affecting the printer software or a Windows file...

    If you need to copy the steps for the fix, simply use Notepad to copy and paste them to a text file, save it to your desktop to have while you cannot open Internet Explorer, or be online, or are working in Safe Mode.

    If it is a USB printer there are some extra steps you may have to do....if you seriously need to print right now, go to the support site for the printer at Epson and hunt for the complete uninstall directions, which usually advise doing it in Safe Mode....if the printer also connects to a scanner, they usually have you remove the USB stuff and reinstall that> I would advise for you not to do anything without the correct steps though.
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi cgisharon--- I know you did not do this maliciously, so do not take offense...we would ask that you start your own New Thread please, as this one belongs to someone already and it is extremely confusing to those helping and the original poster when other people ask for help in the same thread. You can simply delete your posting here, by using the EDIT button, way up top you will find the box to put a check in and the Delete button.

    Open a New Thread for yourself, don't just go away, you will get help!
     
  9. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    Thanks greatly for your help so far. I have gone through the steps you advised. When I tried to remove SpywareBegone in the uninstaller, I got a message "Could not unload initialization file" so I couldn't go further there. I uninstalled PowerRegScheduler and followed step 4 for the newdot.net link.
    Again, thanks for any help you can provide.
    Here's my new log:
    Logfile of HijackThis v1.99.0
    Scan saved at 8:06:37 PM, on 2/17/2005
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\PCTVOICE.EXE
    C:\WINDOWS\SYSTEM\DESK98.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\TELUS ECARE\SMARTBRIDGE\MOTIVESB.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGCC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGEMC.EXE
    C:\PROGRAM FILES\GRISOFT\AVG FREE\AVGAMSVR.EXE
    C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
    C:\PROGRAM FILES\QUICKENW\QWDLLS.EXE
    C:\PROGRAM FILES\CHECKIT NETOPTIMIZER\CKMONITR.EXE
    C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
    C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\TELUS ECARE\BIN\MPBTN.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\MY DOCUMENTS\HIJACK\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by TELUS Internet Service
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
    R3 - Default URLSearchHook is missing
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINDOWS\SYSTEM\SZIEBHO.dll
    O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - (no file)
    O2 - BHO: (no name) - {BA7F7BBC-DFAD-4327-B285-48F12D5745AB} - C:\WINDOWS\SYSTEM\JJLB.DLL
    O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A3EE-FB7FA682AA7D} - (no file)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_5_7_0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [PCTVOICE] pctvoice.exe
    O4 - HKLM\..\Run: [HydraVisionDesktopManager] desk98.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
    O4 - HKLM\..\Run: [MSKServerExe] C:\Program Files\McAfee\SpamKiller\MSKSrvr.exe
    O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKAGENT.EXE
    O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\MCAFEE\SPAMKI~1\MSKDETCT.EXE /startup
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.EXE
    O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
    O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\PROGRAM FILES\ATI MULTIMEDIA\MAIN\LAUNCHPD.EXE"
    O4 - HKCU\..\Run: [Spyware Begone] C:\FREESCAN\FREESCAN.EXE -FastScan
    O4 - HKCU\..\Run: [Registry Cleaner] "C:\PROGRAM FILES\REGISTRY CLEANER\REGCLEAN.EXE"
    O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE" /0
    O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
    O4 - Startup: MICROSOFT WORKS CALENDAR REMINDERS.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    O4 - Startup: MICROSOFT OFFICE.LNK = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: QUICKEN STARTUP.LNK = C:\Program Files\QUICKENW\QWDLLS.EXE
    O4 - Startup: BILLMINDER.LNK = C:\Program Files\QUICKENW\BILLMIND.EXE
    O4 - Startup: CHECKIT INTERNET MONITOR.LNK = C:\Program Files\CheckIt NetOptimizer\CKMonitr.exe
    O4 - Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
    O4 - Startup: ENCODER AGENT.LNK = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
    O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL
    O9 - Extra button: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
    O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {F67455F6-A8B3-4102-8759-B517EEE1C830} - C:\WINDOWS\SYSTEM\IEGFXFRW.DLL (HKCU)
    O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .avi: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
    O18 - Filter: text/html - {6DF854EA-8A5A-4803-8E4E-5A894FF75B77} - C:\WINDOWS\SYSTEM\JJLB.DLL
    O18 - Filter: text/plain - {6DF854EA-8A5A-4803-8E4E-5A894FF75B77} - C:\WINDOWS\SYSTEM\JJLB.DLL
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Sorry I had to be out of town most of the day, and saw your reply too late to help tonight. Please come back with a new Hijackthis log in the morning and I should, or someone will, be able to help you get rid of the about:blank hijack, which is in full swing now. It can be fixed, but do try once you start the computer not to restart unless you are asked to or have to.

    Restarting can make the hijacker change filenames so the fixes we post will not be fixing anything...

    The hijack does tend to get worse if you run AdAware/Spybot etc.... CWShredder may temporarily fix it, but it will come right back unless you do the steps in order, and completely, as directed...so, you will need some time to be available. It would be best if there was another computer to use just to check the replies, that you could print directions on, to keep the Internet use of that infected pc down to minimum, though it is not absolutely neccessary it is helpful to have another machine handy.

    Since we don't know your schedule etc, tell us what would be good for you...if the fix has to wait, simply shut the pc off and come back here when you can work on it. Again, sorry I had to be out all day, I can be here tomorrow. These threads are open to other helpers here, usually they will pop in and assist> things are very busy here these days so I can see why perhaps no one could help you...and, you might not have been able to be here. Hope you get back in the morning.

    Start with a rundown of what your time frame is, and post a new HJT log when you are ready.
     
  11. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    Thanks again for your help. I had to be away a good part of Thursday as well, so things worked out well anyway.
    I didn't realize you had to keep the computer on and not restart to get this process going.
    Friday is going to be quite busy, so this will probably have to wait a day or two. I only have the one computer, so that might make things take longer.
    How long a process is this likely to be?
    Is the other alternative to back up essential files onto CDs, wipe out everything and reinstall Windows and the other software?
    What about getting WinXP and just rebuilding the whole blasted thing?
     
  12. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, I didn't plan on staying up this late, but ended up doing it, spotted your reply just now...

    I don't know exactly how long it will take- but an hour or so should do. It is during that time that restarting after you begin the fix is critical. You can and should turn it all off for the night, if you are used to leaving the computer running all the time-- I know some people swear that they know it is best to leave a computer running 24/7, it is dangerous and a waste to do that unless you run a business that uses a server that has to be running all the time.

    Didn't mean that should not shut down tonite...

    Only, when you are doing the steps to fix the hijack. If you have DSL or cable service, when not using the Internet, remove the network cable or telephone line if the computer is on and you are working on documents, programs that do not involve Internet etc that you have to use.

    Unless you like to reinstall> really no need for wiping things. That is always an option, and if you are planning to get XP, might be a good practice run at removing malware for you. This hijack seems simple to me now, considering some of the stuff we are seeing in the past week or two. There is always the possibility that you could have a new variant however it doesn't look like anything worse than the usual about:blank hijack. People post all the time telling us they have been fighting with one like yours for weeks, months, until they found TSG and fixed it.
    What gets into the system along with, or on top of, about:blank can be a factor. I do advise that if it is at all possible you do find an hour or so tomorrow to run some tools and at least become familiar with what you need to do. Most of the time it takes about an hour depending on the condition of the computer, your Internet speed, ability with computer use etc. Possibly 2 to 3 hours if a couple of online antivirus scanners are used/advised or if you have dialup service maybe even longer...
     
  13. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    Hi Byteman,
    Sorry I wasn't able to get to this Friday.
    Please let me know when you'll be available next so we can proceed.
    I have DSL so my Internet speed is quite good.
     
  14. geezerview

    geezerview Thread Starter

    Joined:
    Jan 18, 2005
    Messages:
    20
    Hi again,
    I guess the best thing to do - and I don't want to intrude on anyone's weekend - is to simply post a HJT log and maybe someone can help. I'm new to all this and don't want to violate any forum etiquette rules here.
    I will probably post a log Sunday or Monday and let the computer stay on.
     
  15. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/330227

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice