Spybot only says Porn Hijacker
<$REG_APPID>
HKEY_CLASSES_ROOT\AppID
It also had isearch toolbar there and removed it (it looks like temporarily as it has come back each time)
When I click on reg value it opens Regedit but it is at the top of the tree rather than at the selected key.
Ad-Aware finds nothing. I have done my amateur best searching manually but can see nothing obvious anywhere. Have included my HJT log file in the hope someone here can see something I am missing
I removed the entry: R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D but it keeps magically reappearing
Have run CWShredder v2.10 and it shows that
CWS.Svhosts32 REMOVED
CWS.Therealsearch REMOVED
Rerun CWShredder and it shows the same thing each time I run it (does this mean it is finding it each time or just a record of one removal?)
Logfile of HijackThis v1.98.2
Scan saved at 1:43:17 PM, on 11/12/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\TINY PERSONAL FIREWALL\PERSFW.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\SYSTEM\WF2K.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETTRAY.EXE
C:\PROGRAM FILES\UTILITIES\VET\VETMSG.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.broadband.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://pcworld.idg.com.au
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = =%3D
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.tpg.com.au:3128
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRAM FILES\FLASHGET\JCCATCH.DLL
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} - C:\PROGRAM FILES\POPUPCOP\POPUPCOP.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [WinFast_2K] C:\WINDOWS\SYSTEM\WF2K.EXE
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\UTILIT~1\VET\VETTRAY.EXE
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\UTILIT~1\VET\VETMSG.EXE
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\RunServices: [PersFw] C:\Program Files\Tiny Personal Firewall\persfw.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [xReminder Pro] C:\PROGRAM FILES\XREMINDER PRO\XREMIND.EXE
O4 - HKCU\..\Run: [HomeAlarm] D:\PROGRAM FILES\CHAMELEON CLOCK\CHAMCLOCK.EXE
O4 - HKCU\..\Run: [RestoreDesktop] C:\PROGRAM FILES\RESTORE DESKTOP\RESTOREDESKTOP.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download using FlashGet - C:\PROGRAM FILES\FLASHGET\jc_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRAM FILES\FLASHGET\jc_all.htm
O8 - Extra context menu item: Open Image in New Window - res://C:\PROGRA~1\POPUPCOP\popupcop.dll/imagenew
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Accelio Capture Form Control) - http://www.ato.gov.a...ase/FormCtl.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Accelio Capture Script Object) - http://www.ato.gov.a...criptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Accelio Capture Soft Font Installer) - http://www.ato.gov.a...ntinstaller.cab
O16 - DPF: Yahoo! Hearts - http://download.game...nts/y/ht1_x.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab