About:blank page - help! Hijack This log included

Hi. I have a problem. I would like to have help with removing this virus from computer without formating. It`s the virus/spyware that changes my homepage to about:blank and gives spy-ware related popups. here`s my Hijack log:


Logfile of HijackThis v1.99.0
Scan saved at 21:45:44, on 08.02.05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\DJSNETCN.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAMME\T-DSL SPEEDMANAGER\SPEEDMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAMME\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\DE\MSNAPPAU.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAMME\GEMEINSAME DATEIEN\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\HPZTSB02.EXE
C:\WINDOWS\ADDMN32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAMME\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\t-online\BSW4\ONLINE.EXE
C:\T-ONLINE\BSW4\TODUCALC.EXE
C:\PROGRAMME\MOZILLA FIREFOX\FIREFOX.EXE
C:\WINDOWS\ADDYE32.EXE
C:\WINDOWS\ADDYE32.EXE
C:\WINDOWS\SYSTEM\ATLIG.EXE
C:\WINDOWS\ADDYE32.EXE
C:\PROGRAMME\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMME\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programme\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {6D258C50-2E47-DC92-007F-A3C991D04D3F} - C:\WINDOWS\SYSTEM\SYSEU32.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\DE\MSNTB.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programme\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAMME\YAHOO!\COMPANION\INSTALLS\CPN2\YCOMP5 _5_7_0.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [T-DSL SpeedMgr] "C:\PROGRAMME\T-DSL SPEEDMANAGER\SPEEDMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ATIPTA] C:\Programme\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Programme\Gemeinsame Dateien\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Programme\Gemeinsame Dateien\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb02.exe
O4 - HKLM\..\Run: [ADDMN32.EXE] C:\WINDOWS\ADDMN32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLL] ati2evxx.exe
O4 - HKLM\..\RunServices: [ATISmart] C:\WINDOWS\SYSTEM\ati2s9ag.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programme\Gemeinsame Dateien\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programme\Gemeinsame Dateien\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [DJSNetCN] C:\Programme\Gemeinsame Dateien\Symantec Shared\DJSNETCN.exe
O4 - HKLM\..\RunServices: [D3CR.EXE] C:\WINDOWS\SYSTEM\D3CR.EXE
O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\GEMEIN~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\GEMEIN~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [NTTC.EXE] C:\WINDOWS\SYSTEM\NTTC.EXE
O4 - HKLM\..\RunServices: [ATLIG.EXE] C:\WINDOWS\SYSTEM\ATLIG.EXE
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\PROGRAMME\YAHOO!\YPSR\PPCLEAN.EXE" "clean" "cws" "2"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Programme\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Programme\WinZip\WZQKPICK.EXE
O4 - Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst_current.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/downloads/rtpatch/v2/EARTPX.cab

1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

3. You may want to print out these instructions for further reference when completing the following steps.

4. Ensure you are showing Hidden Files and Folders as per instructions here.

5. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

6. Restart Hijack This and put a checkmark next to the following entries and click Fix Checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\boivm.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer von T-Online
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {6D258C50-2E47-DC92-007F-A3C991D04D3F} - C:\WINDOWS\SYSTEM\SYSEU32.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\DE\MSNTB.DLL (file missing)
O4 - HKLM\..\Run: [ADDMN32.EXE] C:\WINDOWS\ADDMN32.EXE
O4 - HKLM\..\RunServices: [D3CR.EXE] C:\WINDOWS\SYSTEM\D3CR.EXE
O4 - HKLM\..\RunServices: [ADDYE32.EXE] C:\WINDOWS\ADDYE32.EXE
O4 - HKLM\..\RunServices: [NTTC.EXE] C:\WINDOWS\SYSTEM\NTTC.EXE
O4 - HKLM\..\RunServices: [ATLIG.EXE] C:\WINDOWS\SYSTEM\ATLIG.EXE

Then delete the following files:
C:\WINDOWS\SYSTEM\SYSEU32.DLL
C:\WINDOWS\ADDMN32.EXE
C:\WINDOWS\SYSTEM\D3CR.EXE
C:\WINDOWS\ADDYE32.EXE
C:\WINDOWS\SYSTEM\NTTC.EXE
C:\WINDOWS\SYSTEM\ATLIG.EXE

7. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

8. Scan with Adaware and let it remove any bad files found.

9. Download and run Crap Cleaner from www.ccleaner.com and let it clear your Temporary Files and Folders.

10. Reboot to normal mode

11. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

Post a fresh HijackThis log and the AboutBuster report back here please.

__________________
Owen,
My Website - I Security.org.uk

MALWARE: READ FIRST Procedures:
|_ SpyBot V1.4 _|_ Ad-Aware SE 1.06_|_ HijackThis Log __V1.99.1 _|

[*]Be patient and wait for a response, we'll do our best to help resolve your issue.
[*]When posting for help, start your own thread and stick to it. Don't start multiple threads or post in other peoples threads!

If we have helped you, please consider making a donation to help support the forum. All donations are greatly appreciated. You can also support the forum by placing a link to us on your personal website.

Useful Links:
Posting a Hijack This Log
Preposting and Prevention Info