Browser Hyjack :(

Discussion in 'Windows Desktop Systems' started by Blue Jack, Jan 21, 2004.

  1. Blue Jack

    Blue Jack OSNN Addict

    Messages:
    103
    I *think* this message goes here. Sorry if in the wrong forum.

    I have no idea how, but every time I reboot my system, my homepage is hyjacked. I ran spybot and adware, and it removes the registry setting. But it always comes back.

    I tried a virus scan using Norton Professional, and it finds nothing. Any idea where the program would be hanging out that is causing this? I checked my boot.ini, and scanned through my registry for local user/software/MS/run and nothing realated is in there. Where else would a start up program hang out?

    Thanks in advance.
     
  2. Enyo

    Enyo Moderator

    Messages:
    1,338
  3. Blue Jack

    Blue Jack OSNN Addict

    Messages:
    103
    Here is my log:

    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
    C:\Program Files\Creative\ShareDLL\CtNotify.exe
    H:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Creative\ShareDLL\MediaDet.Exe
    H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
    h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
    h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
    h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = removed porno link
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = removed porno link
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = removed porno link
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [Jet Detection] h:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4099884259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I keep removing the pron links, but it keeps coming back.

    Thanks in advance.

    Edit, I removed the link to the site, didn't think the urls would work, sorry 'bout that.
     
  4. Enyo

    Enyo Moderator

    Messages:
    1,338
    Remove:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

    O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

    The Run entry above is adding the search page back upon every restart.

    You may want to look at IESPYAD and SpywareBlaster in the above linked thread. They can help block these kind of threats from ever getting onto your system.
     
  5. Blue Jack

    Blue Jack OSNN Addict

    Messages:
    103
    Thank you!!!!!!!!!!!!!!
     
  6. XpGuy1

    XpGuy1 Mindless Poster

    Messages:
    136
    Hey Enyo... those three lines in the registry were causing his browers to open up with a different page? How come some of the programs he was running didn't find this ?? Is it that they are inferior??
     
  7. Enyo

    Enyo Moderator

    Messages:
    1,338
    Well they normally detect browser hijacks.

    My guess would be that AAW / SpyBot detected the hijacked homepage but not the reg file that kept setting it back upon boot.

    For Hijack detection you cant beat HJT :)
     
  8. XpGuy1

    XpGuy1 Mindless Poster

    Messages:
    136
    Yes i agree. you can't beat HJT i'm a fan now myself since my most recent hijacking of my browser