start-space has hijaked my browser

Discussion in 'adware, spyware & hijack cleaning' started by brad2003, Dec 6, 2003.

Thread Status:
Not open for further replies.
  1. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    I have tried everything to get rid of this nonsense. I have run CWShredder, hijackthis, spybot, ad-aware -- you name it and i have done it. below is my hijckthis log. any ideaso_O?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:21:23 PM, on 12/6/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\SpyKiller\spykiller.exe
    C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://central.informatica.com
    O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINNT\NavExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE6489E-6285-4EED-A572-A3815C7B3748}: NameServer = 10.1.32.61,10.1.32.62
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Brad2003,

    Welcome to Wilders!

    I don't see anything standing out in your HT log, but you should wait for a second opinion from some of the real experts here ;)

    But I have a few questions,

    1. Are you getting your homepage hijacked at all? (There are no signs of this in the log)

    2. Is it just pop-ups you are getting?

    3. Are your problems evident when you first reboot the computer and have just IE open?

    4. Do you see any consistency on when it does or does not occur? (For instance it only happens when you are VPN'd into the corporate network or vice versa.)

    Thanks,

    Dan
     
  3. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Hi Dan,

    Actually, the reason you don't see anything in the log is because I ran CWShredder and Hijackthis before I took a snapshot of the log. So, in essence, I cleared out everything first.

    What's odd is that this "search-space" will take over my homepage every other time I open IE. Even if I switch my hoempage back, and run hijackthis and CWShredder, it will still occur every other time I open IE and stay there until I manually clear it out and change the homepage again. I figure it has to be somewhere in the registry or somehting but every search turns up with nothing. Does not make a difference if I am connected through the company VPN or not.

    Could it be stuck in the internet connection somewhereo_O I just don't get it.

    Thanks for the help!!!
     
  4. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay, if you haven't already done so, I would strongly recommend that you download and install Spyware Blaster from

    http://www.webattack.com/dlnow/rdir.dll?id=105693

    Once it is installed, download all updates and select all and click protect against checked items.

    For the rest, I think we will have to see what Pieter or Tony or one of the others thinks about the situation and log.
     
  5. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    One step ahead of you...already have the following installed....

    Spyware Blaster, Ad-Aware, Spybot, Spykiller, Spyware Nuker, CWShredder and Hijackthis.

    I think I have so much installed at this point that half of this stuff is canceling out the other half....
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U can get rid of spyware nuker.

    It is just a ripoff of spybot S&D.

    See link

    http://www.computing.net/security/wwwboard/forum/5855.html






    Snowbound
     
  7. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    oohhhh and welcome to wilders brad2003 :D

    Here is your first karma cookie! ;)






    Snowbound
     
  8. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Thanks for the info. I guess I just figured that SOMETHING out there has to beat this nonsense.
     
  9. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi brad2003

    Glad everything is under control now.

    Another app. u could look at spywareguard2.2

    It goes great with spywareblaster. Both by javacool.

    Here is the link
    http://www.wilderssecurity.net/spywareguard.html




    Snowbound
     
  10. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Actually, nothing has worked yet. Sorry for the confusion but I didn't mean to make it sound like everything is under contol. The site STILL has my broswer hijacked. I will try the spyware guard....
     
  11. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi brad2003 :)

    Spywareguard has realtime scanner , download protection and browser hijack protection. Make sure all 3 of these are checked.

    If your homepage gets hijacked it will display a warning asking u if want to reset your old homepage.

    Like Dan says in his post, just wait for second opinion on your hijackthis log.





    Snowbound
     
  12. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Thanks for the ideas...just for your knowledge, I have been working on this all night. I ended up placing search-space.com inot the restricted site zone in internet options. I also cleared out temp inetrnet files and rebooted. I have pasted in a new hijackthis log for your viewing pleasure. As the site is now in the restricted zone, it doesn't come up anymore but I am afraid this is a temp fix and not a long term one. Ideas?

    Logfile of HijackThis v1.97.7
    Scan saved at 9:17:36 AM, on 12/7/2003
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\ibmpmsvc.exe
    C:\Program Files\STOPzilla!\szntsvc.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\llssrv.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\oracle\ora81\bin\vppdc.exe
    C:\oracle\ora81\BIN\TNSLSNR.exe
    c:\oracle\ora81\bin\ORACLE.EXE
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\PRPCUI.exe
    C:\WINNT\AGRSMMSG.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\system32\dla\tfswctrl.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
    C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
    C:\Program Files\SpyKiller\spykiller.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
    O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/latest/webex/ieatgpc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE6489E-6285-4EED-A572-A3815C7B3748}: NameServer = 10.1.32.61,10.1.32.62
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi brad2003,

    There is one entry in your first log that puzzles me and that is gone in the last one. Can you see if this file:
    C:\WINNT\NavExt.dll is still present on your computer?

    I would like to have a closer look.

    Regards,

    Pieter
     
  14. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Hi Pieter,

    From an earlier message I read, I removed that file from an earlier hijackthis scan (I can't remember if it was the NavExt.dll from that directory or not). However, after your note, I looked in the C:\WINNT directory and the file is back with yesterday's timestamp. I guess it was "rebuilt" after a reboot or something but it never showed up in a subsequent hijackthis scan.

    What do you think?
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi brad2003,

    I did manage to get my hands on the file in the meantime.
    Haven't had much time to take a good look, but I would think it has to be registered as a BHO to do it's dirty work.

    It hijacks to search-space or start-space (as you have found out).
    Untill CWShredder is updated to deal with this one or we learn a little more about this one, please delete the file, make a copy of for example C:\Program Files\SpywareGuard\dlprotect.dll
    in the folder where you found NavExt.dll and rename it to NavExt.dll
    This way the offending file can not be placed in that directory and if it gets registered as a BHO the copy of SpywareGuard will get activated.

    Hope this helps and I will keep you posted on any updates.

    Regards,

    Pieter
     
  16. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    All right Pieter! :D

    Good Catch!!

    Thanks! :cool:
     
  17. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    Thanks for the tip. Seems that search-space is gone for now. Kind of odd the hijackthis does not catch the NavExt.dll anymore -- even though it still does exist. I did try to delete it but I got a note from Windows telling me I couldn't because it was in use. Even more odd is that I noticed when I put http://www.search-sapce.com into my restricted sites in IE, I mistyped it to read htto://www.search-space.com. Don't know if it matters that I put in htto instead of http but it still has not come up since. Maybe killing the NavExt.dll before did kill it. In any event, I will keep search-space in my restricted sites until CWS includes this in an update. Thanks again for your efforts....
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi brad2003,

    You can download version 1.39.1 of CWShredder and run it. It has been updated for the NavExt variant.
    Merijn is FAST!!

    Regards,

    Pieter
     
  19. brad2003

    brad2003 Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    19
    I downloaded the new version and ran it. Says my system was completely clean. Let's keep our fingers crossed!!!

    Thanks again for all the ideas!
     
  20. Unzy

    Unzy Registered Member

    Joined:
    Nov 2, 2003
    Posts:
    1,098
    Location:
    Belgium
    Good catch Pietz!

    Thanks for the help brad :)

    Cheers,
     
Thread Status:
Not open for further replies.