about:blank and BHO issue

I seem to be having the same difficulty that everyone else is having with the a random BHO being added to my machine every time I go onto the internet. My search page tries to change to about:blank. Now, I have read through other threads and have tried other things but nothing seesm to work. CWShredder and Adaware catches something everytime I run them (usually a different ".dll" from my WINNT/System32 directory, which I then delete) but the problem does not go away for good. Below is my hijackthis.log...any ideas?

Logfile of HijackThis v1.97.7
Scan saved at 8:55:35 AM, on 7/7/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\oracle\ora81\bin\vppdc.exe
C:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepserver.exe
C:\Program Files\Informatica PowerCenter 7.1\RepositoryServer\bin\pmrepagent.exe
C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: iPassConnect Informatica Remote Access.lnk = C:\Program Files\iPass\iPassConnect Informatica Remote Access\IPassConnectGUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://www.accountonline.com
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - http://www11.informatica.com/Citrix/Icaweb/wficat.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/v_localized/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{44A970B5-5365-4B40-97D2-C4C002CB566B}: NameServer = 10.1.32.61,10.1.32.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com,informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CS1\Services\Tcpip\..\{44A970B5-5365-4B40-97D2-C4C002CB566B}: NameServer = 10.1.32.61,10.1.32.62
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com,informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62

 

Hello,

I am not seeing anything in your log, so let's see if you have a hidden dll.

Copy the contents of the quote box to Notepad.
Name the file Appinit.bat
Save as type All Files
Save on the Desktop.
Quote:
Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt


Double click on Appinit.bat
This will create a file on the desktop named windows.txt
Copy and paste that log here.

I would also like you to do this:
download this appinit.zip

Unzip it so that both files (regread.exe and runread.exe) are in the same folder (make it it's own folder) then double click on runread.exe to run it.
After it's been run there will be a "regread.log" file in the same folder you unzipped it to.

Copy the contents of that here also.

 

I can't seem to get the batch file to save the windows.txt file. I pasted in the reg commnad exactly how you have it there. Am I doing something wrong?

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

I did manage to download the other zip file, though. Contents are below.

A handle was successfully obtained for the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 54 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINNT\system32\logh.dll"
0000 43 00 3a 00 5c 00 57 00 49 00 4e 00 4e 00 54 00 | C.:.\.W.I.N.N.T.
0010 5c 00 73 00 79 00 73 00 74 00 65 00 6d 00 33 00 | \.s.y.s.t.e.m.3.
0020 32 00 5c 00 6c 00 6f 00 67 00 68 00 2e 00 64 00 | 2.\.l.o.g.h...d.
0030 6c 00 6c 00 00 00 | l.l...

Thanks for the assistance!

 

Hello,

I am finding that sometimes it doesn't save the file on the desktop. Do a search for window.txt and see if you find it that way. I want to compare the two logs with one another. Let me know.

 

No dice. I ran the batch file again and searched my entire machine for "window*". Nothing. The DOS window disappears too quickly for me to figure out why it is not saving the file. Here are the contents of the file again -- you see anything I am doing wrong?

Reg save "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" windows1.hiv
ren windows1.hiv windows.txt

 

It may be because you have Win2000. Let me get back to you, I want to check with an expert before we proceed.