Unwanted home page

Hi everybody!

I have a problem with my IE. It seems not to remember my home page and default search engine settings. So, each time I restard my computer and I go on Web, I got a "search Web" window as a Home page that I never downloaded on my machine. In addition, whatever I do (run a Ad-aware, spybot,...) the page comes back always... It's annoying of course but doesn't look very harmfull, anyway does anybody know how I can take this unwanted stuff out of my system vn.msi.tv http://vn.msie.tv/popup6.php?pin=1

You got a copy of a log comming from the Hijackthis. I did a spybot before the hijackthis.

Thanks for helping!

Frank


Logfile of HijackThis v1.97.7
Scan saved at 1:46:16 PM, on 05/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MSGLOOP.EXE
C:\WINDOWS.000\SYSTEM\MSG32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\EXPLORER.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\DOWNLOADED\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS.000\SYSTEM\OLPEFA.DLL/sp.html (obfuscated)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {51E08227-B6EA-11D8-A161-00E0D37473E9} - C:\WINDOWS.000\SYSTEM\OLPEFA.DLL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Startup: Adobe Gamma Loader.lnk.disabled
O4 - Startup: eXcentrix Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab

 

Hi fsasseville,

Download: StartDreck and unzip it.
DoubleClick: 'StartDreck.exe'
Hit: config
Hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
Hit >ok.

Post the log it makes.

Regards,

Pieter

 

Thanks for your quick reply!

I just did what you recommend with the Startdreck, here is the result :

StartDreck (build 2.1.5 public BETA) - 2004-06-05 @ 19:59:17
Platform: Windows 98 SE (Win 4.10.2222 A)

»Registry
»Run Keys
»Current User
»Run
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*Zone Labs Client="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
*NAV DefAlert=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
»RunServices
*TrueVector=C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
»RunServicesOnce
**s=rundll32 C:\WINDOWS.000\SYSTEM\COMEPL.DLL,StreamingDeviceSetup
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFCF113F=C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
*FFFF469B=C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
*FFFF4F97=C:\WINDOWS.000\SYSTEM\MSGLOOP.EXE
*FFFF58BB=C:\WINDOWS.000\SYSTEM\MSG32.EXE
*FFFFA9BF=C:\WINDOWS.000\SYSTEM\MPREXE.EXE
*FFFFDC3B=C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE
*FFFF9093=C:\WINDOWS.000\SYSTEM\mmtask.tsk
*FFFEA15F=C:\WINDOWS.000\EXPLORER.EXE
*FFFE6C6B=C:\WINDOWS.000\RUNDLL32.EXE
*FFFDB6F7=C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
*FFFCD18B=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFFA3023=C:\WINDOWS.000\SYSTEM\DDHELP.EXE
*FFFA2ACB=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF86903=C:\WINDOWS.000\SYSTEM\SPOOL32.EXE
*FFFAE7D3=C:\WINDOWS.000\SYSTEM\PSTORES.EXE
*FFFA2667=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFF9B9D7=C:\PROGRAM FILES\WINRAR\WINRAR.EXE
*FFF7ACEB=C:\WINDOWS.000\TEMP\RAR$EX00.137\STARTDRECK.EXE
»Application specific

 

Hi fsasseville,

-Download: Win98Fix.zip from http://www10.brinkster.com/expl0iter/freeatlast/pvtool.htm and unzip it
-DoubleClick on: 'RunFix.reg' file, hit 'yes' on the prompt!
-Restart computer!
-C:\WINDOWS.000\SYSTEM\COMEPL.DLL should be visible!
-Delete it.

Then download and run CWShredder
Use the Fix button and follow the instructions provided by the program.

Then use AdAware as described here:
https://www.wilderssecurity.com/showthread.php?t=15913

When you are done, run HijackThis again and post the new log, so we can see if it all worked out as planned.

Regards,

Pieter

 

Hi again Pieter!

I just finished the work, here is the log :

Thanks!

Frank

Logfile of HijackThis v1.97.7
Scan saved at 1:45:34 PM, on 06/06/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS.000\SYSTEM\KERNEL32.DLL
C:\WINDOWS.000\SYSTEM\MSGSRV32.EXE
C:\WINDOWS.000\SYSTEM\MSGLOOP.EXE
C:\WINDOWS.000\SYSTEM\MSG32.EXE
C:\WINDOWS.000\SYSTEM\MPREXE.EXE
C:\WINDOWS.000\SYSTEM\mmtask.tsk
C:\WINDOWS.000\EXPLORER.EXE
C:\DOWNLOADED\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS.000\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: Reboot.exe
O4 - Startup: Microsoft Office.lnk.disabled
O4 - Startup: Adobe Gamma Loader.lnk.disabled
O4 - Startup: eXcentrix Startup.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) - http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/148119a2571ca3/housecall.antivirus.com/housecall/xscan53.cab

 

Good job, Frank

Please read How did this happen and can I prevent it?

Regards,

Pieter

 

Hi Pieter!

Thank you for your great cooperation and your precious understanding of computers. As a "normal" computer user, we sometime feel so "ressourceless".

Thanks again and sorry for my english, it's not my mother language...

Best regards

Frank

 

No problem, my mother doesn't understand it either.

Regards,

Pieter