Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Porn Hijacker + iSearch Toolbar?


  • Please log in to reply

#1
Harvey

Harvey

    New Member

  • Member
  • Pip
  • 6 posts
Spybot tells me I have a Porn Hijacker but it cannot remove it as it is active in memory.
Spybot only says Porn Hijacker
<$REG_APPID>
HKEY_CLASSES_ROOT\AppID

It also had isearch toolbar there and removed it (it looks like temporarily as it has come back each time)
When I click on reg value it opens Regedit but it is at the top of the tree rather than at the selected key.

Ad-Aware finds nothing. I have done my amateur best searching manually but can see nothing obvious anywhere. Have included my HJT log file in the hope someone here can see something I am missing

I removed the entry: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D but it keeps magically reappearing

Have run CWShredder v2.10 and it shows that
CWS.Svhosts32 REMOVED
CWS.Therealsearch REMOVED

Rerun CWShredder and it shows the same thing each time I run it (does this mean it is finding it each time or just a record of one removal?)


Logfile of HijackThis v1.98.2
Scan saved at 1:43:17 PM, on 11/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\WF2K.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETTRAY.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETMSG.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tpg.com.au:3128
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\SYSTEM\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\UTILIT~1\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\UTILIT~1\VET\VETMSG.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [xReminder Pro] C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
O4 - HKCU\..\Run: [HomeAlarm] D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
O4 - HKCU\..\Run: [RestoreDesktop] C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.ato.gov.a...ase/FormCtl.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Accelio Capture Script Object) - http://www.ato.gov.a...criptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Accelio Capture Soft Font Installer) - http://www.ato.gov.a...ntinstaller.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tpg.com.au:3128
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\PROGRAM FILES\FLASHGET <- this folder

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. smile.gif
  • 0

#3
Harvey

Harvey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.98.2
Scan saved at 11:17:50 AM, on 12/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\UTILITIES\VET\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\WF2K.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETTRAY.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETMSG.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\SYSTEM\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\UTILIT~1\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\UTILIT~1\VET\VETMSG.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Utilities\Vet\isafe.exe
O4 - HKCU\..\Run: [xReminder Pro] C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
O4 - HKCU\..\Run: [HomeAlarm] D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
O4 - HKCU\..\Run: [RestoreDesktop] C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.ato.gov.a...ase/FormCtl.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Accelio Capture Script Object) - http://www.ato.gov.a...criptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Accelio Capture Soft Font Installer) - http://www.ato.gov.a...ntinstaller.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab

I now have a slightly neater looking log file and no download manager but Spybot is still telling me that I have a Porn Hijacker as well as iSearchToolbar.
  • 0

#4
Harvey

Harvey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ps... CWShredder still shows the exact same results every time I run it.
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
Copy the part in bold below to notepad. Save the file as remisrch.reg, set type to "all files"


REGEDIT4

[-HKEY_CURRENT_USER\Software\iSearch]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000


Then doubleclick the file you made and confirm you want to merge it with the registry.

Also can you tell me which version of CWShredder you are using?

Regards,

Pieter
  • 0

#6
Harvey

Harvey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts

Copy the part in bold below to notepad. Save the file as remisrch.reg, set type to "all files"


REGEDIT4

[-HKEY_CURRENT_USER\Software\iSearch]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"SpecifyDefaultButtons"=dword:00000000
"Btn_Search"=dword:00000000
"NoBandCustomize"=dword:00000000
"NoToolbarCustomize"=dword:00000000


Then doubleclick the file you made and confirm you want to merge it with the registry.

Also can you tell me which version of CWShredder you are using?

Regards,

Pieter

View Post


Thank you for your help.

I have CWShredder v2.10

Before I start making changes to my registry would you mind giving a brief rundown on what we may achieve with these changes. I googled the changes you suggest and it looks like they will change the greyed out toolbar etc. The problem is that the only thing I can see on my comp is what Spybot is telling me.... no other visible symptoms so far.
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,674 posts
The last version of CWShredder is at 2.11 since 2.10 had some minor problems.

What I am trying to achieve is undo the changes the iSaerch Toolbar might have made on your system.
These might also be setting of the Spybot alarms.

Regards,

Pieter
  • 0

#8
Harvey

Harvey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay.... copied....pasted.....merged with registry.....rebooted

Spybot still showing same things present.

(Updated CWShredder to 2.12 and it now shows nothing present or removed)
  • 0

#9
coachwife6

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please post a fresh log. :tazz:
  • 0

#10
Harvey

Harvey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Latest log.....

Logfile of HijackThis v1.98.2
Scan saved at 10:08:44 PM, on 15/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\WF2K.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETTRAY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETMSG.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\SYSTEM\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\UTILIT~1\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\UTILIT~1\VET\VETMSG.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [xReminder Pro] C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
O4 - HKCU\..\Run: [HomeAlarm] D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
O4 - HKCU\..\Run: [RestoreDesktop] C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.ato.gov.a...ase/FormCtl.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Accelio Capture Script Object) - http://www.ato.gov.a...criptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Accelio Capture Soft Font Installer) - http://www.ato.gov.a...ntinstaller.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP