about:blank problem

[gotween]

I have tried No Adware, Microsoft AntiSpyware and Spybot Search and destroy. Here is my Hijack file. Any help would be great. Thank You.

Logfile of HijackThis v1.99.1
Scan saved at 5:16:11 PM, on 03/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\FedEx\FedEx Ship Manager API\Atom\AtomSvc.exe
C:\Program Files\JavaSoft\JRE\1.2\bin\javaw.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\frsm\frsm.exe
C:\WINDOWS\iesl32.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\syskr.exe
C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ron\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafys.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafys.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13FE6255-35A0-316C-AE95-5C6BEDA4233B} - C:\WINDOWS\system32\d3kt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [frsm] C:\Program Files\frsm\frsm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [iesl32.exe] C:\WINDOWS\iesl32.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: autoback.lnk = C:\Program Files\Winpos\tools\Toolbox.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: TouchWare Monitor.lnk = C:\Program Files\MicroTouch\TouchWare\MtsTsMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {758D2003-64E3-443A-AC4D-824AB4EBF5E3} (KWSSetUp Class) - https://webfence.kewill.net/activex/KWSSetUpActiveX.CAB
O16 - DPF: {8D5267D0-657B-4A38-94C7-6F2888EDFC60} (KPrint Class) - https://webfence.kewill.net/activex/KPrintActiveX.CAB
O16 - DPF: {E7DE4C27-C7D6-4022-8EB7-FC3AFD99B3A2} (KClientFrsm Class) - https://webfence.kewill.net/activex/KFrsmActiveX.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FedExAPI Service (FDXAPISVC) - FedEx - C:\Program Files\FedEx\FedEx Ship Manager API\Atom\AtomSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (  6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\syskr.exe

[guestolo]

===Download to desktop About:Buster
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any download them
Then close it for now, we'll need this later

===Download and UNZIP to your desktop
Cwsserviceremove.zip
Ensure you unzip it so you will have cwsserviceremove.reg on your desktop now, we'll need this later

===Copy and Paste the rest of these instructions to a Notepad file and save to your desktop

===Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

===RESTART your Computer in SAFE MODE

===Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Remote Procedure Call (RPC) Helper <<there are others that look similiar, make sure you are looking at the right one

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

===Open Hijackthis>>Open Misc tools Section>>Open Process manager and kill these processes if still running
C:\Program Files\frsm\frsm.exe
C:\WINDOWS\iesl32.exe
C:\WINDOWS\system32\syskr.exe


===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste the next entry in bold to the blank box and hit OK

Remote Procedure Call (RPC) Helper

Do the same for this service name

 6QÔõ'ª´ÆÐ8

===Find and delete these files if found
C:\WINDOWS\system32\d3kt.dll <-file
C:\WINDOWS\iesl32.exe <-file
C:\WINDOWS\system32\syskr.exe <-file

===Stay in safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bafys.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafys.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\bafys.dll/sp.html#44768
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {13FE6255-35A0-316C-AE95-5C6BEDA4233B} - C:\WINDOWS\system32\d3kt.dll

O4 - HKLM\..\Run: [frsm] C:\Program Files\frsm\frsm.exe <--I'm not sure what this one is, if you don't know what it is fix it too, we're just disabling it from running on startup

O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [iesl32.exe] C:\WINDOWS\iesl32.exe

O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstall...MetaStream3.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\syskr.exe


After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

===Navigate to About:buster you unzipped and updated earlier
Start About:Buster and hit ok.   Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice
Try until no more files or Data Streams are found

===Double click on cwsserviceremove.reg and allow it to merge to the registry

===RESTART back in Normal mode

=Look for shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

======If you have SPYBOT 1.3 installed, this hijacker likes to delete one of it's files
Download this file SDHelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder
To ensure it's enabled...Open Spybot>>Immunize
Put a tick next to "Enable Permanent blocking of bad addresses in IE"

====# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===You should do an Online Virus scan at Housecall's
Set to Autoclean
http://housecall.trendmicro.com/

===Afterwards post back a fresh Hijackthis log
Could you also open Hijackthis>>Open Misc tools section>>Open Hosts file Manager
Click the "Open in Notepad"
Copy and paste back here the Hosts notepad file

===That entry I wasn't sure about before
Can you go to Jotti's online malware scan
Give this site time to load if it's busy
http://virusscan.jotti.dhs.org/

Use the browse button and navigate to this file on your hard drive
C:\Program Files\frsm\frsm.exe <--this file

Right click on the file and choose Select
Then use the Submit button
Let it scan finish scanning
Could you post back the results of the scan back here please


NOTE: After the fixes with Hijackthis>>And you restart back to Normal mode
If prompted by any of your Anti-Spyware programs of changes
Allow them, so that it won't interfere