Having Problems..."about:blank"

Discussion in 'Malware Help (A Specialist Will Reply)' started by Avalon786, Dec 14, 2004.

  1. Avalon786

    Avalon786 Private E-2

    Hello,
    I'm new but have been watching the forum and it has helped me in the past.
    However i have a bigger problem than usual. One day my computer started up with multiple error messages (Mad has caused en error in WIN.DLL, then i got an error message for almost everything and the computer totally crashed) My home page has been changed to "about:blank" and i have a few programs that i runned to try to fix this problem and nothing seems to work...:( I have Spybot but i get an error message when i run the check (its writtin in german ?!?) I have the full program XoftSpy and i run it, it finds spyware, i delete it but next scan and reboot it re-appears. I have tried online free virus scans (Panda, Symnatec...i wanted to use the HouseCall but I cant launch the scan IE crashs each time i try) I dont know what to do to fix my computer. I was able to log online, but still get the "Mad has caused error in WIN.DLL" message. I have Highjack this, maybe someone who knows could look at my log and be able to help me?
    Thanks for any help :)
     
    Avalon786, Dec 14, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you run all (skip the online scans you have a problem with) the other steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal ?


    If so, and you still have a problem, do the following:

    Make sure you have HJT Version 1.98.2 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

    Now post a HijackThis as a .txt file attachment to your message. All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT
     
    chaslang, Dec 14, 2004
    #2
  3. Avalon786

    Avalon786 Private E-2

    Thank you for your response. Yes i followed all the steps, did the clean-ups and the problem is still here and is still strong. I ran HijackThis in normal mode and you should have the log. What is there that is bad? Thank you very much for your help :)
     

    Attached Files:

    Avalon786, Dec 14, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read my directions again:

    - Make sure you have HJT Version 1.98.2
    - All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    You must do the above and post a new log before we can continue.

    You also need to get your update from Microsoft. You are way out of date. Your IE version is only: Internet Explorer v5.51 SP2 (5.51.4807.2300)
     
    Last edited: Dec 14, 2004
    chaslang, Dec 14, 2004
    #4
  5. Avalon786

    Avalon786 Private E-2

    Hey again,
    Sorry about that. I got the new HijackThis version along with some Windows updates (including IE) I ran HijackThis right after boot-up, no windows open, no internet connection. So what does the log tell you?
    Thanks
     

    Attached Files:

    Avalon786, Dec 14, 2004
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It tells me you are still using HijackThis v1.97.7

    Please download the correct version from our link given in the READ ME FIRST thread: Hijack This!
     
    chaslang, Dec 14, 2004
    #6
  7. Avalon786

    Avalon786 Private E-2

    Sorry about that. I hope i got the right stuff this time (sorry again). Here is the log i took (closed all windows, disconnected internet...)
     

    Attached Files:

    Avalon786, Dec 14, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Are you sure no IE windows were open? I see the below in your log:

    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    You are also going to have to disable Spybot from placing these restrictions:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Just while we work on your problem. We can enable them again later.
     
    chaslang, Dec 14, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled.

    Please bring up Task Manager by hitting CTRL-ALT-DEL. Find the below processes and End them:
    AIEPK2


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {9B4C7A1D-80ED-4ED4-AA50-89CAF6EA6803} - (no file)
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
    O2 - BHO: (no name) - {F441428B-FFC5-41BF-AC17-158BF4256B4E} - C:\WINDOWS\SYSTEM\DBILKAA.DLL
    O3 - Toolbar: (no name) - {0AAF602E-72A1-45FE-BAB1-06971E07EAA2} - (no file)
    O4 - HKLM\..\Run: [aiepk] C:\WINDOWS\DESKTOP\DOWNLOADS\AIEPK2.EXE
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: @Home - {C87CEC04-1739-4D89-9746-34435CE6958F} - http://home.excite.com (file missing) (HKCU)
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.com/speed/uk/WebInstall.dll
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\path.mht!http://64.200.26.76/d1/arctaa.chm::/painter.exe
    O18 - Filter: text/html - {F459C402-EF0E-43D7-92EC-24B4916E031F} - C:\WINDOWS\SYSTEM\DBILKAA.DLL
    O18 - Filter: text/plain - {F459C402-EF0E-43D7-92EC-24B4916E031F} - C:\WINDOWS\SYSTEM\DBILKAA.DLL


    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\SYSTEM\DBILKAA.DLL
    C:\WINDOWS\DESKTOP\DOWNLOADS\AIEPK2.EXE

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 14, 2004
    #9
  10. Avalon786

    Avalon786 Private E-2

    Ok, so i ran HijackThis and fixed the problemes you told me to. I had system restore disabled and viewing of hidden files enabled. I booted in safe mode but couldnt find "C:\WINDOWS\SYSTEM\DBILKAA.DLL" but i did find "C:\WINDOWS\DESKTOP\DOWNLOADS\AIEPK2.EXE" and got tid of it. When i booted up in normal mode i got the error messages again (Spool32 has caused error in <unknown>, Mad has caused error in WIN.DLL) I ran HijackThis again, here's the log. I did notice my homepage was set to the IE default and not on "about:blank" anymore, but still my system crashed 3 times out of 4 on the reboot...what esle could i do?
     

    Attached Files:

    Avalon786, Dec 15, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Check this out and see if it applies to you: http://securityresponse.symantec.com/avcenter/venc/data/js.seeker.k.html


    Please download the latest version of HJT before continuing. It is now V1.99. Get it here: http://www.majorgeeks.com/download3155.html
    Do you know what this process from HP is supposed to be for?
    C:\PROGRAM FILES\HEWLETT-PACKARD\HPIS\BIN\MAD.EXE

    Did you fix athe three O16 and two O18 lines I gave you last time in HJT? They are back. We need to find and delete: C:\WINDOWS\SYSTEM\DBILKAA.DLL
    Try fixing them again but do it after booting in safe mode.
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {7DBFDA8E-D33B-11D4-9269-00600868E56E} (WWWInstall Class) - http://go.securelive.com/speed/uk/WebInstall.dll
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\path.mht!http://64.200.26.76/d1/arctaa.chm::/painter.exe
    O18 - Filter: text/html - {F459C402-EF0E-43D7-92EC-24B4916E031F} - C:\WINDOWS\SYSTEM\DBILKAA.DLL
    O18 - Filter: text/plain - {F459C402-EF0E-43D7-92EC-24B4916E031F} - C:\WINDOWS\SYSTEM\DBILKAA.DLL
     
    chaslang, Dec 15, 2004
    #11
  12. Avalon786

    Avalon786 Private E-2

    Ok, I downloaded the new version of HJT and here is the log. I got rid of all my HP (its my printer) files because they were causing some errors. But i still have the about:blank bug. I have the software XoftSpy and everytime it finds "CoolWebSearch" & "TwainTech" I delete them but they always come back...
     

    Attached Files:

    Avalon786, Dec 16, 2004
    #12
  13. Avalon786

    Avalon786 Private E-2

    Also i cannot find: C:\WINDOWS\SYSTEM\DBILKAA.DLL even in safe mode...
     
    Avalon786, Dec 16, 2004
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download the following tool: Pocket KillBox

    Run Pocket Killbox and choose the Delete on Reboot option. Enter the following into the box for Full Path of File to Delete C:\WINDOWS\SYSTEM\FEBLECB.DLL
    Select the Delete on Reboot button.
    and press the Delete button (red X) and then Yes or OK until your machine reboots.

    What version of XoftSpy do you have? Versions before 4.0 where consider rogue/suspect spyware removal tools. See: http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note

    You are still foregetting to exit browser sessions. Remember what I said:
    - All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

    You had nine IE sessions running:
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    You are going to have difficulty fixing problems unless you remember to always exit all browser sessions before running HijackThis. And that brings up another question, are you actually clicking Fix in HijackThis. I keep seeing the same info in your log over and over again.

    Please run Spybot and temporarily disable it from placing the restrictions the we see in HJT's O6 lines. Run Spybot and click Mode, select Advanced Mode, Tools, then IE Tweaks. Make sure none of the Miscellaneouse Locks are checked. Then quit Spybot.

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).
    Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {28945D86-82D8-4BE4-A25A-B3672F4B4529} - C:\WINDOWS\SYSTEM\FEBLECB.DLL
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - http://gfetc.webex.com/client/v_eureka-fiji/event/ieatgpc.cab
    O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
    O16 - DPF: {15320607-1001-1831-1000-118599957123} - ms-its:mhtml:file://C:\path.mht!http://64.200.26.76/d1/arctaa.chm::/painter.exe
    O18 - Filter: text/plain - {7881D918-08BD-4B19-9DF9-2BD919D31023} - C:\WINDOWS\SYSTEM\FEBLECB.DLL
    O18 - Filter: text/html - {7881D918-08BD-4B19-9DF9-2BD919D31023} - C:\WINDOWS\SYSTEM\FEBLECB.DLL

    Now Reset Web Settings again:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 16, 2004
    #14
  15. Avalon786

    Avalon786 Private E-2

    My version of XoftSpy is 4.02. I found that i had the "iexplore" running without me knowing it, i did "ctrl-alt-del" and saw like 7 of them after i closed everything and had nothing opened. How can this be? I did the Poket Killbox, changed the Spybot settings, i have system restore disabled and viewing of hidden files enabled. So i ended the "iexplore", ran HJT and when i re-booted i had the start page i wanted. Heres the log
     

    Attached Files:

    Avalon786, Dec 16, 2004
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You still have something locking your settings
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Did you disable Spybot from doing that (and leave it that way for now)?
    If not Spybot, do you have SpywareBlaster or something else placing those restrictions? If so, please disable it.

    Did you Reset Web Setting as instructed?

    How is everything working otherwise?

    The restrictions and the below are bothering me (although they are not big problems). I want to know why they are not clearing. Something is locking them.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = %SEARCH_PAGE_URL%
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
     
    chaslang, Dec 17, 2004
    #16
  17. Avalon786

    Avalon786 Private E-2

    Yeah Spybot doesnt have any blocks enabled. But when i do a scan with Spybot i always get an error message in german as the result and it never finds anything, could it be corrupted? I did reset web settings and it puts "%SEARCH_PAGE_URL%" as my homepage so maybe thats where those files are coming from. When i booted my computer today, about:blank is back as my start page...what can i do?
     
    Avalon786, Dec 17, 2004
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have SpywareBlaster installed? If yes, temporarily uninstall it.
    I know you have Spybot installed but what version does it say. If 1.3 final, get the current updated detections updates and also make sure you have installed this: Spybot - Search and Destroy DSO Exploit Fix

    Then run HJT and have it fix these lines if still present:
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    Then post an new HJT log.
     
    chaslang, Dec 17, 2004
    #18
  19. Avalon786

    Avalon786 Private E-2

    Ok i un-installed SpywareBlaster. I used the Spybot thing (I have the latest version) and it fixed my problem, thanks ^_^. I ran HJT got rid of the 2 files but i noticed more stuff was back. My homepage is set to about:blank again...here is a HJT log
     

    Attached Files:

    Avalon786, Dec 17, 2004
    #19
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have system restore disabled and viewing of hidden files enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {17C8F5B3-AAAB-421F-B2F5-B6E9704553E5} - C:\WINDOWS\SYSTEM\JME.DLL
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O18 - Filter: text/html - {1E30EE60-062C-4577-A459-5603E6AB5DD8} - C:\WINDOWS\SYSTEM\JME.DLL
    O18 - Filter: text/plain - {1E30EE60-062C-4577-A459-5603E6AB5DD8} - C:\WINDOWS\SYSTEM\JME.DLL

    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\SYSTEM\JME.DLL
    Let me know if you have a problem finding or deleting the above file.

    Now Reset Web Settings again:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to www.majorgeeks.com (please leave it at this URL for the time being) . Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 18, 2004
    #20
  21. Avalon786

    Avalon786 Private E-2

    Ok, so about:blank has been coming back over and over again...i dunno what to do, every boot-up its there, I get rid of it with HJT and everything seems good, but then about:blank is my homepage again each boot-up...what can i do?
     
    Avalon786, Dec 28, 2004
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Follow my directions below in my previous message. Run those steps and post the new log as requested.
     
    chaslang, Dec 28, 2004
    #22
  23. Avalon786

    Avalon786 Private E-2

    Here is a new log. Also i noticed that my systeme appearance has changed and some programs interface is messed up. Also IE windows launch by themselfs...
     

    Attached Files:

    Avalon786, Feb 8, 2005
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


    Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANCTL.EXE
    C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANKEEP.EXE


    After killing all the above processes, click "Back".

    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = %START_PAGE_URL%
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = %SEARCH_PAGE_URL%
    O4 - HKLM\..\Run: [Admanager Controller] C:\PROGRAM FILES\ADMANAGER CONTROLLER\ADMANCTL.EXE
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=

    After clicking Fix, exit HJT.

    Boot into safe mode and use Windows Explorer to delete:
    C:\PROGRAM FILES\ADMANAGER CONTROLLER <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

    Now Empty your Recycle Bin.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working. If you have problems, explain them in detail.
     
    chaslang, Feb 8, 2005
    #24
  25. Avalon786

    Avalon786 Private E-2

    Ok,
    So i got rid of the Admanager Controller folder. When i did the HJT scan & fix i couldnt get rid of:
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    those 2 just keep in coming back after each HJT fix. After i had rebooted my homepage was set to about:blank. I switched it to the one i wanted. Here is a new log
     

    Attached Files:

    Avalon786, Feb 9, 2005
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Goto to your c:\windows\inf folder and find the file named IERESET.INF and rename it to IERESET.OLD

    Download the attached ZIP file and extract the IERESET.INF file from it into your c:\windows\inf folder.

    Then get a new HJT log and post it.
     

    Attached Files:

    chaslang, Feb 10, 2005
    #26
  27. Avalon786

    Avalon786 Private E-2

    Hey,
    Ok thanks. I followed the steps and here is the new log
     

    Attached Files:

    Avalon786, Feb 10, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Looks clean! How are things working now?
     
    chaslang, Feb 10, 2005
    #28
  29. Avalon786

    Avalon786 Private E-2

    Ok so its working alright (thanks for all the help so far), only thing is that i dont know why some programs interface changed and are abit messed up...
     
    Avalon786, Feb 11, 2005
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I don't know what that statement means! More detail would be helpful.


    You should also perform the steps in the below link to help avoid future problems:
    How to Protect yourself from malware!
     
    chaslang, Feb 11, 2005
    #30

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds