Browser Hyjack :(

Blue Jack

OSNN Addict
21 Jan 2004
I *think* this message goes here. Sorry if in the wrong forum.

I have no idea how, but every time I reboot my system, my homepage is hyjacked. I ran spybot and adware, and it removes the registry setting. But it always comes back.

I tried a virus scan using Norton Professional, and it finds nothing. Any idea where the program would be hanging out that is causing this? I checked my boot.ini, and scanned through my registry for local user/software/MS/run and nothing realated is in there. Where else would a start up program hang out?

Thanks in advance.
Here is my log:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
H:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\NavNT\rtvscan.exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = removed porno link
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] h:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

I keep removing the pron links, but it keeps coming back.

Thanks in advance.

Edit, I removed the link to the site, didn't think the urls would work, sorry 'bout that.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

The Run entry above is adding the search page back upon every restart.

You may want to look at IESPYAD and SpywareBlaster in the above linked thread. They can help block these kind of threats from ever getting onto your system.
Hey Enyo... those three lines in the registry were causing his browers to open up with a different page? How come some of the programs he was running didn't find this ?? Is it that they are inferior??
Well they normally detect browser hijacks.

My guess would be that AAW / SpyBot detected the hijacked homepage but not the reg file that kept setting it back upon boot.

For Hijack detection you cant beat HJT :)
Yes i agree. you can't beat HJT i'm a fan now myself since my most recent hijacking of my browser

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Latest member