Browser Hyjack :(

Blue Jack

OSNN Addict
Joined
Jan 21, 2004
Messages
103
#1
I *think* this message goes here. Sorry if in the wrong forum.

I have no idea how, but every time I reboot my system, my homepage is hyjacked. I ran spybot and adware, and it removes the registry setting. But it always comes back.

I tried a virus scan using Norton Professional, and it finds nothing. Any idea where the program would be hanging out that is causing this? I checked my boot.ini, and scanned through my registry for local user/software/MS/run and nothing realated is in there. Where else would a start up program hang out?

Thanks in advance.
 

Blue Jack

OSNN Addict
Joined
Jan 21, 2004
Messages
103
#3
Here is my log:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$NetSDK\Binn\sqlservr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
H:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
H:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\OSDMenu.EXE
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\EAX.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\VRC.exe
h:\Program Files\Creative\SBAudigy\RemoteCenter\Center\RCenter.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\Documents and Settings\God\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = removed porno link
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = removed porno link
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [CTStartup] H:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] h:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [RemoteCenter] h:\Program Files\Creative\SBAudigy\RemoteCenter\Rc\Rcman.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37924.4099884259
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I keep removing the pron links, but it keeps coming back.

Thanks in advance.

Edit, I removed the link to the site, didn't think the urls would work, sorry 'bout that.
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#4
Remove:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.searchv.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.searchv.com/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchv.com/

O4 - HKLM\..\Run: [sys] regedit /s C:\WINDOWS\sys.reg

The Run entry above is adding the search page back upon every restart.

You may want to look at IESPYAD and SpywareBlaster in the above linked thread. They can help block these kind of threats from ever getting onto your system.
 

XpGuy1

Mindless Poster
Joined
Oct 15, 2002
Messages
136
#6
Hey Enyo... those three lines in the registry were causing his browers to open up with a different page? How come some of the programs he was running didn't find this ?? Is it that they are inferior??
 

Enyo

OSNN Veteran Addict
Joined
Feb 2, 2003
Messages
1,338
#7
Well they normally detect browser hijacks.

My guess would be that AAW / SpyBot detected the hijacked homepage but not the reg file that kept setting it back upon boot.

For Hijack detection you cant beat HJT :)
 

XpGuy1

Mindless Poster
Joined
Oct 15, 2002
Messages
136
#8
Yes i agree. you can't beat HJT i'm a fan now myself since my most recent hijacking of my browser
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Hey ep!

All good with me, applying for microsoft mvp right now, should have done this a while ago.

Notifications don't work, I only found your response by comming back to hunt up some threads, if you want, give me your email address so we can keep in touch easier, mine is perriscalderon at gmail
Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...

Forum statistics

Threads
62,029
Messages
673,530
Members
89,041
Latest member
kira45