prosearching.com
-
prosearching.com
I am having trouble removing prosearching.com from my computer. How do I remove this completely. i also have icons popping up on my desktop that refer to : http://cc.panet.org/search.php?q=Spyware&aff_id=9
I have used OmegakillerSM but with no success.
This is my Hijackthis log file :
Logfile of HijackThis v1.99.1
Scan saved at 10:22:58 AM, on 4/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\WLANClient\WlanClient.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\winD4D.tmp.exe
C:\Documents and Settings\FOURIG\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =
O1 - Hosts: 127.0.0.67 search.active-max.com
O1 - Hosts: 127.0.0.98 allaboutsearching.com
O1 - Hosts: 127.0.0.24 www.allaboutsearching.com
O1 - Hosts: 127.0.0.7 amazingautossearch.com
O1 - Hosts: 127.0.0.20 www.amazingautossearch.com
O1 - Hosts: 127.0.0.34 www.contexualsearch.com
O1 - Hosts: 127.0.0.43 www.crap2.com
O1 - Hosts: 127.0.0.0 www.dialup2.com
O1 - Hosts: 127.0.0.22 ecpm.com
O1 - Hosts: 127.0.0.241 find-quick.com
O1 - Hosts: 127.0.0.79 lop.com
O1 - Hosts: 127.0.0.2 ayb.lop.com
O1 - Hosts: 127.0.0.82 img.lop.com
O1 - Hosts: 127.0.0.94 srch.lop.com
O1 - Hosts: 127.0.0.3 www1.lop.com
O1 - Hosts: 127.0.0.33 www.lop.com
O1 - Hosts: 127.0.0.80 maxexp.com
O1 - Hosts: 127.0.0.221 www.mp3search.com
O1 - Hosts: 127.0.0.250 netsearchsoft.com
O1 - Hosts: 127.0.0.219 www.omegasearch.com
O1 - Hosts: 127.0.0.227 prosearching.com
O1 - Hosts: 127.0.0.217 www.rub.to
O1 - Hosts: 127.0.0.95 sbvr.com
O1 - Hosts: 127.0.0.67 www.sbvr.com
O1 - Hosts: 127.0.0.223 searchexe.com
O1 - Hosts: 127.0.0.213 www.searchexe.com
O1 - Hosts: 127.0.0.205 www.searchweb2.com
O1 - Hosts: 127.0.0.91 www.spawnet.com
O1 - Hosts: 127.0.0.46 tdmy.com
O1 - Hosts: 127.0.0.72 tefs.com
O1 - Hosts: 127.0.0.54 tfil.com
O1 - Hosts: 127.0.0.74 www.tfil.com
O1 - Hosts: 127.0.0.76 tdko.com
O1 - Hosts: 127.0.0.212 wrn.net
O1 - Hosts: 127.0.0.79 www.wrn.net
O1 - Hosts: 127.0.0.220 www.mp3search.com
O1 - Hosts: 127.0.0.9 best.omega-search.com
O1 - Hosts: 127.0.0.217 www.omega-search.com
O1 - Hosts: 127.0.0.44 trinityacquisitions.com
O1 - Hosts: 127.0.0.247 www.wethere.com
O1 - Hosts: 127.0.0.61 asearchforyou.org
O1 - Hosts: 127.0.0.63 www.asearchforyou.org
O1 - Hosts: 127.0.0.224 www.errorfreesearch.com
O1 - Hosts: 127.0.0.43 isearchhere.com
O1 - Hosts: 127.0.0.240 www.isearchhere.com
O1 - Hosts: 127.0.0.25 iwantosearch.com
O1 - Hosts: 127.0.0.54 searchhotsex.com
O1 - Hosts: 127.0.0.229 www.searchhotsex.com
O1 - Hosts: 127.0.0.70 mastersearcher.com
O1 - Hosts: 127.0.0.247 www.mastersearcher.com
O1 - Hosts: 127.0.0.215 www.look-today.com
O1 - Hosts: 127.0.0.220 www.aavc.com
O1 - Hosts: 127.0.0.220 www.acjp.com
O1 - Hosts: 127.0.0.98 ecmh.com
O1 - Hosts: 127.0.0.40 www.wabu.com
O1 - Hosts: 127.0.0.44 wabq.com
O1 - Hosts: 127.0.0.27 www.maximumexperience.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com
O15 - Trusted Zone: *.xxxtoolbar.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFB5C758-1790-41E6-86E1-F87B04A8BB66}: NameServer = 209.212.96.1 209.212.97.1
O20 - Winlogon Notify: winrkp32 - C:\WINDOWS\SYSTEM32\winrkp32.dll
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Please Help!
Last edited by frikkie; 16-04-2006 at 09:38 AM.
-
Welcome to DAL,
Please download hoster from the link below.
http://www.funkytoad.com/download/hoster.zip
Open Hoster.exe.
Then click on "Restore Original Hosts"
Close program when complete.
Please download this file to your desktop - http://www.mvps.org/winhelp2002/DelDomains.inf
Right click on the file you downloaded and select install. This resets the trusted and restricted zones to defaults.
Note: if you have immunized with Spybot this takes those off. You will have to re-immunize with Spybot. If you use SpywareBlaster and/or IE/Spyads, it will be necessary to re-install the protection both of those afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.
Reboot.
Download the Intermute stand-alone version of CWShredder from here: cwshredder.net/bin/CWShredder.exe
Install it and check for updates then exit, we will use it later.
don't run Ewido just yet, we will from safe mode below
Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Post the log Ewido makes back here please.
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Run CWShredder and click on fix
Now run Ewido while still in safe mode.
Post the log Ewido makes
Post a new hijackthis log also
Thanks.
-
Neal,
Thanks for helping me sort out this prosearching.com problem. I did everything step by step as indicated in your previous reply.
Herewith the information you requested :
Ewido Scan report before safe mode boot (updates installed)
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:15:06 PM, 4/18/2006
+ Report-Checksum: 50C14040
+ Scan result:
HKLM\SOFTWARE\ClickSpring -> Adware.PurityScan : Cleaned with backup
[652] C:\WINDOWS\system32\winrkp32.dll -> Downloader.Small.cml : Cleaned with backup
:mozilla.6:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.Com : Cleaned with backup
:mozilla.24:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.25:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.34:C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\FOURIG\Cookies\fourig@www.myaffiliateprog ram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\FOURIG\Desktop\My Documents\VERMAC\Cookies\vermac@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\FOURIG\Desktop\My Documents\VERMAC\Cookies\vermac@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\FOURIG\Desktop\My Documents\VERMAC\Cookies\vermac@servedby.advertisi ng[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temp\win3.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\9QRWSAGY\srvkgp[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\9QRWSAGY\srvrbn[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\KPIRS1UB\wizp32[1].exe -> Downloader.IstBar.eq : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\TJ3JP9CE\srvpyl[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\W9I3CXI3\srviws[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\Documents and Settings\FOURIG\Local Settings\Temporary Internet Files\Content.IE5\W9I3CXI3\srvwvk[1].exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\system32\AdService.dll -> Downloader.Small.cml : Cleaned with backup
C:\WINDOWS\system32\ldA7E8.tmp -> Downloader.Zlob.jt : Cleaned with backup
C:\WINDOWS\system32\winrkp32.dll -> Downloader.Small.cml : Cleaned with backup
C:\WINDOWS\Temp\win19.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win1C.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win218.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win21B.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win5.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\win83D.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winA.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winBA8.tmp.exe -> Downloader.IstBar.eq : Cleaned with backup
C:\WINDOWS\Temp\winBAC.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winBB0.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winBBF.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winD41.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winD4D.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\Temp\winD8D.tmp.exe -> Trojan.Dialer.oy : Cleaned with backup
C:\WINDOWS\winres.dll -> Downloader.IstBar.ff : Cleaned with backup
::Report End
Ewido Scan report in safe mode
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:54:28 PM, 4/18/2006
+ Report-Checksum: 1D311888
+ Scan result:
No infected objects found.
::Report End
HijackThis log in safe mode
Logfile of HijackThis v1.99.1
Scan saved at 8:54:52 PM, on 4/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Hope this is enough info for you to help me get rid of the prosearching problem.
Thanks again for helping.
-
Note: Neal is away for the next two (2) days. I will continue to assist you if you wish.
Please download ATF Cleaner http://www.atribune.org/ccount/click.php?id=1 by Atribune.
This program is for XP and Windows 2000 only
It does not require any installation and uses minimal system resources. It is set up to clean IE, FireFox and Opera, and detects the browsers you have and grays out the other(s).
- Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Recommend UNCHECKING COOKIES if you rely on system remembered passwords.
Click the Empty Selected button.
If you use Firefox browser - Click Firefox at the top and choose: Select All EXCEPT FIREFOX SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser - Click Opera at the top and choose: Select All EXCEPT COOKIES AND SAVED PASSWORDS
Click the Empty Selected button.
NOTE: If you would like to keep your cookies and saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer =
O20 - Winlogon Notify: winrkp32 - winrkp32.dll (file missing)
Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.
POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
-
Vincent,
Thank you for all the help and advise. Looks like my problem has been solved.
Herewith the HijackThis log as requested:
Logfile of HijackThis v1.99.1
Scan saved at 7:20:58 PM, on 4/20/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\WLANClient\WlanClient.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.matthey.local;*.mattheyafrica.local;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFB5C758-1790-41E6-86E1-F87B04A8BB66}: NameServer = 209.212.96.1 209.212.97.1
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Thanks again for the help and the great and fast service. Please let me know if their is anything else I need to do.
Frikkie
-
Looking much better,
Run hijackthis and fix these also please:
09 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Nothing open but hijackthis and click on fix checked.
www.pandasoftware.com/activescan/
Internet Explorer Required
Please run this online virus scan: ActiveScan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please and a new hijackthis log as well. Thanks.
-
Neal, as requested I fixed the 2 mentioned entries in HijackThis and also did a scan from the Panda website as indicated.
Herewith the HijackThis log :
Logfile of HijackThis v1.99.1
Scan saved at 2:34:47 PM, on 4/22/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\NALNTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wm.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrustITM\realmon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\System32\NWTRAY.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Vodafone\Vodafone Mobile Connect\VMConnect.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\WLANClient\WlanClient.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 172.51.0.4:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrustITM\realmon.exe" -s
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Discovery User Input] C:\Discovery\User Input\userin32.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iTechnology iGateway 4.0 (iGateway) - Computer Associates International, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust ITM Realtime Service (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.EXE
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
Also the report from the Panda website :
Incident Status Location
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\FOURIG\Application Data\Mozilla\Firefox\Profiles\azi9357v.default\coo kies.txt[]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\FOURIG\Cookies\fourig@ad.yieldmanager[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\FOURIG\Cookies\fourig@casalemedia[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\FOURIG\Cookies\fourig@statcounter[2].txt
Adware:adware/emediacodec Not disinfected C:\WINDOWS\system32\1024\ld11CB.tmp
Adware:Adware/Adservice Not disinfected C:\WINDOWS\system32\AdService.bat
Thanks again for the support.
-
Hi,
Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.
Hunt for and delete if present:
C:\WINDOWS\system32\1024\ld11CB.tmp < file
C:\WINDOWS\system32\AdService.bat < file
Reboot normal mode and tell me how your computer is behaving now. Thanks.
