Browser Hyjack :(

#1
I *think* this message goes here. Sorry if in the wrong forum.

I have no idea how, but every time I reboot my system, my homepage is hyjacked. I ran spybot and adware, and it removes the registry setting. But it always comes back.

I tried a virus scan using Norton Professional, and it finds nothing. Any idea where the program would be hanging out that is causing this? I checked my boot.ini, and scanned through my registry for local user/software/MS/run and nothing realated is in there. Where else would a start up program hang out?

Thanks in advance.
 
#3
Here is my log:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
H:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = removed porno link
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] h:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4099884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I keep removing the pron links, but it keeps coming back.

Thanks in advance.

Edit, I removed the link to the site, didn't think the urls would work, sorry 'bout that.
 

Enyo

OSNN Veteran Addict
#4
Remove:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

The Run entry above is adding the search page back upon every restart.

You may want to look at IESPYAD and SpywareBlaster in the above linked thread. They can help block these kind of threats from ever getting onto your system.
 

XpGuy1

Mindless Poster
#6
Hey Enyo... those three lines in the registry were causing his browers to open up with a different page? How come some of the programs he was running didn't find this ?? Is it that they are inferior??
 

Enyo

OSNN Veteran Addict
#7
Well they normally detect browser hijacks.

My guess would be that AAW / SpyBot detected the hijacked homepage but not the reg file that kept setting it back upon boot.

For Hijack detection you cant beat HJT :)
 

Members online

No members online now.

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,974
Messages
673,308
Members
89,016
Latest member
Poseeut