About:Blank pop up/Virus? And Desktop Hijacker.

For your Desktop problem try this:

Right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.

For the other problems, you need to follow standard procedures.

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.


After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

You did not follow my instructions:

You posted inline and still had your browser open. I changed it to an attachment. Please attach logs from now on when they are requested and remember to exit browsers before running HJT. You still have problems. I'll get back to you on them in a few minutes.

You also must stop using msconfig to perform a selective boot up. You have this running:
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

Run msconfig and select Normal Startup. I want to see everything that could be loading to make sure there are no other hidden problems.

 

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = tjclan.fragism.com
O2 - BHO: (no name) - {2F8EBC37-2EE9-1BD0-29E6-746B10106C23} - (no file)
O2 - BHO: (no name) - {79EA13F6-7781-D40D-0B2A-875DFA433997} - (no file)
O2 - BHO: (no name) - {B806C119-D661-13F6-CAD2-E2DB53F2C246} - (no file)
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/1c972bc7/enter.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs6b.instantservice.com/jars...erxsigned35.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsol...ArcadeRdxIE.cab

After clicking Fix, exit HJT.

Some those O15 lines may come back after reboot. If so we will need to run a different procedure to fix them.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.


Is the below file (C:\WINDOWS\system32\nvsvc32.exe) really missing?
O23 - Service: NVIDIA Display Driver Service - Unknown - C:\WINDOWS\system32\nvsvc32.exe (file missing)

nvsvc32.exe is a process that belongs to the NVIDIA graphics card drivers. This process should not be removed to ensure that your graphics card drivers is working properly.

 

Again you did not follow my instructions:

This time your log has been deleted. Please post as an attachment.

 

You are still forgetting to exit IE sessions before using HJT:
C:\Program Files\Internet Explorer\iexplore.exe

Did you forget to do that last time when you were fixing lines? Many things did not get fixed. Some should have been. Like these:
O2 - BHO: (no name) - {2F8EBC37-2EE9-1BD0-29E6-746B10106C23} - (no file)
O2 - BHO: (no name) - {79EA13F6-7781-D40D-0B2A-875DFA433997} - (no file)
O2 - BHO: (no name) - {B806C119-D661-13F6-CAD2-E2DB53F2C246} - (no file)

The O15 lines I thought may come back.

And where did this new item come from:
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe

 

If you exit all IE sessions that you are running, and the run Task Manager (press CTRL-ALT-DEL) and select Processes, do you still see an iexplore.exe listed. If so try ending it and watch for a minute and see if it stays kill or comes back. Let me know the results.

 

Did you have to shut any IE sessions down that you were not running?

Run HJT and have it fix the below lines:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
F3 - REG:win.ini: run=C:\WINDOWS\system32\soft.exe
O2 - BHO: (no name) - {2F8EBC37-2EE9-1BD0-29E6-746B10106C23} - (no file)
O2 - BHO: (no name) - {79EA13F6-7781-D40D-0B2A-875DFA433997} - (no file)
O2 - BHO: (no name) - {B806C119-D661-13F6-CAD2-E2DB53F2C246} - (no file)

I'm attaching a ZIP file that has a registry patch file inside name tzone.reg. Download the ZIP file and then exract the registry file to a folder or to your Desktop and then double click on it. And when it prompts to Add the file to the registry say yes.

Then reboot into safe mode and delete:
C:\WINDOWS\system32\soft.exe

No reboot normal mode and post a new HJT log.

 

That was my fault. Try repeating those steps now and use the attachment that I have here.

 

No! The computers are not a problem. It is the idoits who develop all the malware that are a pain.

Well so far it looks like the O15 lines are gone. I hope they do not come back after a reboot.

Are the below lines valid (do you recognize the address):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tj-clan.com/forum
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = tjclan.fragism.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tj-clan.com/forum
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = tjclan.fragism.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = tjclan.fragism.com


I think the internal protections provide by SpySweeper and other programs you may have installed (like SpywareBlaster, Spybot S&D etc) are getting in are way to fix the other problems. You need to disable all of them or uninstall them if you do not no how to disable them. Then use Task Manager to end any running processes from them (like spysweeper.exe).

Then exit all browser sessions including this one and run HJT and select the following lines and then click FIX:
O2 - BHO: (no name) - {2F8EBC37-2EE9-1BD0-29E6-746B10106C23} - (no file)
O2 - BHO: (no name) - {79EA13F6-7781-D40D-0B2A-875DFA433997} - (no file)
O2 - BHO: (no name) - {B806C119-D661-13F6-CAD2-E2DB53F2C246} - (no file)

Reboot after this and then post a new HJT log.

 

I think you will have to uninstall all your spyware protection programs to get rid of those O2 -BHO lines.

I see you still have SpySweeper installed. What else? Spybot? SpywareBlaster? Any others? Disconnect from the Internet and uninstall all of them. Then reboot to safe mode and try fixing those three lines again.

By the way, how are things running right now?

 

Well I wouldn't say nothing was fixed yet. Look at your current log and look at the first one.

I did not say uninstall you AV program. I said uninstall the spyware scanning protecting programs. They can quite often block changes you are trying to make just like they attempt to block malware from making changes. But when malware does get in (either before the tools are installed or afterwards), sometimes the only way to fix the problems is to remove all the items that are blocking you from making changes. If you remove all of these programs and still cannot make changes then either malware is still present and blocking you or you have a permissions problem (you are not allowed to make changes - i.e., do not have the proper priviledges).

 

Did you uninstall the spyware protection programs?

What viruses are you talking about? Give file names and virus names if know.

There has been a rash of problems related to these O15 Trusted Zones problems. There seems to be a relationship to some bad executable files.

Check you C:\Documents and Settings\username folder (replace username with your actual User ID) for files like dddd.exe

Also check for it in C:\Windows

Tell me if you find them.