Hijacked: www.search-space.com

Discussion in 'adware, spyware & hijack cleaning' started by sloryde, Jan 12, 2004.

Thread Status:
Not open for further replies.
  1. sloryde
    Offline

    sloryde Registered Member

    Being new to this forum, I hope I am posting this correctly. My start page has been hijacked to www.search-space.com.
    I have ron spybot and spywareblaster with no effect. Every time I restart my system I am back at this website. Any ideas? Thanks
  2. subratam
    Offline

    subratam Registered Member

    hey sloryde,
    can u plz do this
    Download, extract and run HijackThis itself:

    Make sure you use the latest version of this program as it is updated often to keep up with the latest threats! When running HijackThis note that most of what it finds will be harmless, so don't try to "Fix" anything yet!!

    HijackThis *
    Download HijackThis from here: http://www.tomcoyote.org/hjt/
    - Use the HijackThis button on left which has the green flashing light next to it.
    Open the download ZIP file to extract the HijackThis program from within.
    - If you can't open the ZIP file, you'll need to get an unzipping tool such as this one.
    Run HijackThis.exe
    Press "Scan" button.
    When done the "Scan" button will change to "Save Log", press that.
    Save the log as a text file.
    In step 3 below, you'll need to copy and paste the contents of this log to a post here.

    HijackThis is a very powerful tool! If you want to try and fix things yourself with it, keep in mind that it makes no distinction between good or bad items. It just does whatever the user instructs it to do, no matter what the consequences might be. You could end up disconnecting yourself from the internet or being unable to reboot your system at all!

    and do wait for some expert over here to chk ur log and help u
    thx
  3. sloryde
    Offline

    sloryde Registered Member

    this is the log I got from hijack this
    Logfile of HijackThis v1.97.7
    Scan saved at 2:19:15 PM, on 1/12/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
    C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADAPP.EXE
    C:\PROGRAM FILES\DELL\ACCESSDIRECT\DADTRAY.EXE
    C:\WINDOWS\DOCKAPP.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
    C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
    C:\PROGRAM FILES\IOMEGA\DRIVEICONS\IMGICON.EXE
    C:\WINDOWS\SYSTEM\HPHA2MON.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\HPZTSB01.EXE
    C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\OPWARE32.EXE
    C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware16.exe
    C:\PROGRAM FILES\MICROSOFT HARDWARE\GAME CONTROLLERS\COMMON\SWTRAYV4.EXE
    C:\WINDOWS\SVCHOST.EXE
    C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\WINDOWS\SYSTEM\HPHIPM08.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\TEMP\TD_0001.DIR\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/
    F1 - win.ini: run=hpfsched
    O1 - Hosts: 5377608764 spywareinfoforum.com
    O1 - Hosts: 5377608764 www.spywareinfoforum.com
    O1 - Hosts: 5377608764 lavasoftsupport.com
    O1 - Hosts: 5377608764 www.lavasoftsupport.com
    O1 - Hosts: 5377608764 searchv.com
    O1 - Hosts: 5377608764 www.searchv.com
    O1 - Hosts: 5377608764 approvedlinks.com
    O1 - Hosts: 5377608764 www.approvedlinks.com
    O1 - Hosts: 5377608764 searching-the-net.com
    O1 - Hosts: 5377608764 www.searching-the-net.com
    O1 - Hosts: 5377608764 ywebsearch.info
    O1 - Hosts: 5377608764 www.ywebsearch.info
    O1 - Hosts: 5377608764 ok-search.com
    O1 - Hosts: 5377608764 www.ok-search.com
    O1 - Hosts: 5377608764 ewebsearch.net
    O1 - Hosts: 5377608764 www.ewebsearch.net
    O1 - Hosts: 5377608764 www.008k.com
    O1 - Hosts: 5377608764 autosearcher.com
    O1 - Hosts: 5377608764 www.autosearcher.com
    O1 - Hosts: 5377608764 www.smutserver.com
    O1 - Hosts: 5377608764 www.smuthosts.com
    O1 - Hosts: 5377608764 www.kinghost.com
    O1 - Hosts: 5377608764 exit.xitcash.com
    O1 - Hosts: 5377608764 www.exitforcash.com
    O1 - Hosts: 5377608764 exit.sellyourexit.com
    O1 - Hosts: 5377608764 sex-explorer.com
    O1 - Hosts: 5377608764 www.sex-explorer.com
    O1 - Hosts: 5377608764 www.online-dialer.com
    O1 - Hosts: 5377608764 network.nocreditcard.com
    O1 - Hosts: 5377608764 www.mtreexxx.net
    O1 - Hosts: 5377608764 www.0190-dialer.com
    O1 - Hosts: 5377608764 install.xxxtoolbar.com
    O1 - Hosts: 5377608764 www.xxxtoolbar.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
    O4 - HKLM\..\Run: [MadExe] C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\LaunchRA.exe -boot
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [CPortPatch] C:\WINDOWS\Quick Install\CPPatch.exe
    O4 - HKLM\..\Run: [BayMgr] DockApp.exe
    O4 - HKLM\..\Run: [Vshwin32EXE] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    O4 - HKLM\..\Run: [McAfeeWebScanX] C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\WebScanX.Exe
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
    O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
    O4 - HKLM\..\Run: [HPHA2MON] C:\WINDOWS\SYSTEM\hpha2mon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb01.exe
    O4 - HKLM\..\Run: [OmniPage] C:\PROGRAM FILES\CAERE\OMNIPAGEPRO90\opware32.exe
    O4 - HKLM\..\Run: [SideWinderTrayV4] C:\PROGRA~1\MICROS~3\GAMECO~1\COMMON\SWTRAYV4.EXE
    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe
    O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Dell Home (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://government.dellnet.com/
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
  4. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi sloryde,

    Please download and run CWShredder

    Then reboot, run HijackThis again and check the following items in HijackThis that are still there.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.search-space.com/

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.search-space.com/

    All the O1 entries

    O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe

    O4 - HKCU\..\Run: [QuickTime Task] c:\windows\qttasks.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    Then reboot and delete:
    C:\WINDOWS\svchost.exe <= NOTE, opnly the one in the windows directory

    Regards,

    Pieter
  5. sloryde
    Offline

    sloryde Registered Member

    After following your directions, the problem appears to be fixed. I was unable to find the file C:\WINDOWS\svchost.exe

    Thanks for all the help!
  6. Pieter_Arntz
    Offline

    Pieter_Arntz Spyware Veteran

    Hi sloryde,

    Great to hear the hijack is cured. :)

    Maybe the file is hidden. Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

    On the other hand CWShredder might have "killed" it.

    Regards,

    Pieter
Thread Status:
Not open for further replies.