start-space has hijaked my browser

I have tried everything to get rid of this nonsense. I have run CWShredder, hijackthis, spybot, ad-aware -- you name it and i have done it. below is my hijckthis log. any ideas?

Logfile of HijackThis v1.97.7
Scan saved at 1:21:23 PM, on 12/6/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\oracle\ora81\bin\vppdc.exe
C:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://central.informatica.com
O2 - BHO: (no name) - {00110011-4B0B-44D5-9718-90C88817369B} - C:\WINNT\NavExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE6489E-6285-4EED-A572-A3815C7B3748}: NameServer = 10.1.32.61,10.1.32.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62

 

Hi Brad2003,

Welcome to Wilders!

I don't see anything standing out in your HT log, but you should wait for a second opinion from some of the real experts here

But I have a few questions,

1. Are you getting your homepage hijacked at all? (There are no signs of this in the log)

2. Is it just pop-ups you are getting?

3. Are your problems evident when you first reboot the computer and have just IE open?

4. Do you see any consistency on when it does or does not occur? (For instance it only happens when you are VPN'd into the corporate network or vice versa.)

Thanks,

Dan

 

Hi Dan,

Actually, the reason you don't see anything in the log is because I ran CWShredder and Hijackthis before I took a snapshot of the log. So, in essence, I cleared out everything first.

What's odd is that this "search-space" will take over my homepage every other time I open IE. Even if I switch my hoempage back, and run hijackthis and CWShredder, it will still occur every other time I open IE and stay there until I manually clear it out and change the homepage again. I figure it has to be somewhere in the registry or somehting but every search turns up with nothing. Does not make a difference if I am connected through the company VPN or not.

Could it be stuck in the internet connection somewhere I just don't get it.

Thanks for the help!!!

 

Okay, if you haven't already done so, I would strongly recommend that you download and install Spyware Blaster from

http://www.webattack.com/dlnow/rdir.dll?id=105693

Once it is installed, download all updates and select all and click protect against checked items.

For the rest, I think we will have to see what Pieter or Tony or one of the others thinks about the situation and log.

 

One step ahead of you...already have the following installed....

Spyware Blaster, Ad-Aware, Spybot, Spykiller, Spyware Nuker, CWShredder and Hijackthis.

I think I have so much installed at this point that half of this stuff is canceling out the other half....

 

U can get rid of spyware nuker.

It is just a ripoff of spybot S&D.

See link

http://www.computing.net/security/wwwboard/forum/5855.html






Snowbound

 

oohhhh and welcome to wilders brad2003

Here is your first karma cookie!






Snowbound

 

Thanks for the info. I guess I just figured that SOMETHING out there has to beat this nonsense.

 

Hi brad2003

Glad everything is under control now.

Another app. u could look at spywareguard2.2

It goes great with spywareblaster. Both by javacool.

Here is the link
http://www.wilderssecurity.net/spywareguard.html




Snowbound

 

Actually, nothing has worked yet. Sorry for the confusion but I didn't mean to make it sound like everything is under contol. The site STILL has my broswer hijacked. I will try the spyware guard....

 

Hi brad2003

Spywareguard has realtime scanner , download protection and browser hijack protection. Make sure all 3 of these are checked.

If your homepage gets hijacked it will display a warning asking u if want to reset your old homepage.

Like Dan says in his post, just wait for second opinion on your hijackthis log.





Snowbound

 

Thanks for the ideas...just for your knowledge, I have been working on this all night. I ended up placing search-space.com inot the restricted site zone in internet options. I also cleared out temp inetrnet files and rebooted. I have pasted in a new hijackthis log for your viewing pleasure. As the site is now in the restricted zone, it doesn't come up anymore but I am afraid this is a temp fix and not a long term one. Ideas?

Logfile of HijackThis v1.97.7
Scan saved at 9:17:36 AM, on 12/7/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\oracle\ora81\bin\vppdc.exe
C:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PRPCUI.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\SpyKiller\spykiller.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\bweisber\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://central.informatica.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [REGSHAVE] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CMLUC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37947.7730555556
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://informatica.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{EDE6489E-6285-4EED-A572-A3815C7B3748}: NameServer = 10.1.32.61,10.1.32.62
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = informatica.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 10.1.32.61 10.1.32.62

 

Hi brad2003,

There is one entry in your first log that puzzles me and that is gone in the last one. Can you see if this file:
C:\WINNT\NavExt.dll is still present on your computer?

I would like to have a closer look.

Regards,

Pieter

 

Hi Pieter,

From an earlier message I read, I removed that file from an earlier hijackthis scan (I can't remember if it was the NavExt.dll from that directory or not). However, after your note, I looked in the C:\WINNT directory and the file is back with yesterday's timestamp. I guess it was "rebuilt" after a reboot or something but it never showed up in a subsequent hijackthis scan.

What do you think?

 

Hi brad2003,

I did manage to get my hands on the file in the meantime.
Haven't had much time to take a good look, but I would think it has to be registered as a BHO to do it's dirty work.

It hijacks to search-space or start-space (as you have found out).
Untill CWShredder is updated to deal with this one or we learn a little more about this one, please delete the file, make a copy of for example C:\Program Files\SpywareGuard\dlprotect.dll
in the folder where you found NavExt.dll and rename it to NavExt.dll
This way the offending file can not be placed in that directory and if it gets registered as a BHO the copy of SpywareGuard will get activated.

Hope this helps and I will keep you posted on any updates.

Regards,

Pieter

 

All right Pieter!

Good Catch!!

Thanks!

 

Thanks for the tip. Seems that search-space is gone for now. Kind of odd the hijackthis does not catch the NavExt.dll anymore -- even though it still does exist. I did try to delete it but I got a note from Windows telling me I couldn't because it was in use. Even more odd is that I noticed when I put http://www.search-sapce.com into my restricted sites in IE, I mistyped it to read htto://www.search-space.com. Don't know if it matters that I put in htto instead of http but it still has not come up since. Maybe killing the NavExt.dll before did kill it. In any event, I will keep search-space in my restricted sites until CWS includes this in an update. Thanks again for your efforts....

 

Hi brad2003,

You can download version 1.39.1 of CWShredder and run it. It has been updated for the NavExt variant.
Merijn is FAST!!

Regards,

Pieter

 

I downloaded the new version and ran it. Says my system was completely clean. Let's keep our fingers crossed!!!

Thanks again for all the ideas!

 

Good catch Pietz!

Thanks for the help brad

Cheers,