Help me removing prosearching.com

  1. 09-05-2006  #1
    sonurijs
    sonurijs is offline Newbie

    Help me removing prosearching.com

    hai,

    for the past two days my system is suffering with prosearching.com. my home page gets changed to prosearching.com. there are two items created in the desktop. they are Remove spyware and online games. prosearching.com site is added to the favourites with the name VIP porn site. if i delete the favourite item and desktop item and changed the home page of the internet explorer, everything gets changed to above said pattern.

    the following is the log file.


    Logfile of HijackThis v1.99.1
    Scan saved at 18:27:16, on 2006/05/09
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\OfficeScan NT\pccntmon.exe
    C:\WINDOWS\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Hidemaru\Hidemaru.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\Program Files\Yahoo!\WidgetEngine\YahooWidgetEngine.exe
    C:\WINDOWS\system32\conime.exe
    C:\WINDOWS\System32\basfipm.exe
    C:\WINDOWS\system32\inetsrv\inetinfo.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\OfficeScan NT\ntrtscan.exe
    C:\OfficeScan NT\tmlisten.exe
    C:\OfficeScan NT\ofcdog.exe
    C:\OfficeScan NT\pccntupd.exe
    C:\WINDOWS\system32\wscntfy.exe
    E:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
    C:\WINDOWS\System32\dllhost.exe
    \?\C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\as pnet_wp.exe
    C:\Program Files\Microsoft Visual Studio .NET 2003\Common7\IDE\devenv.exe
    C:\Program Files\Microsoft Visual Studio\VSS\win32\SSEXP.EXE
    C:\Program Files\Microsoft Visual Studio\VSS\win32\SSEXP.EXE
    E:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\senthilrajan\Local Settings\Temp\HijackThis.exe

    O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\OfficeScan NT\pccntmon.exe" -HideWindow
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\iexplore.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Tray Pilot Lite] "e:\Program Files\Invention Pilot\Tray Pilot Lite\TrayPlt.exe"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun の Java コンソール - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: *.flingstone.com
    O15 - Trusted Zone: *.i-lookup.com
    O15 - Trusted Zone: *.offshoreclicks.com
    O15 - Trusted Zone: *.teensguru.com
    O15 - Trusted Zone: *.xxxtoolbar.com
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.kumudam.com/wfplayer/tdserver.cab
    O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTick...cab?refid=5071
    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1EA8EC-8A39-40DA-B0DE-2A98B09C328D}: NameServer = 10.171.5.5,0.0.0.0
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: winrvc32 - C:\WINDOWS\SYSTEM32\winrvc32.dll
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\OfficeScan NT\ntrtscan.exe
    O23 - Service: OfficeScanNT Listener (tmlisten) - Unknown owner - C:\OfficeScan NT\tmlisten.exe

    please help me remove this. it is very urgent

    Sonnu

  3. 10-05-2006  #2
    VopThis
    VopThis is offline Senior Member (Canada)
    Save 20% on AVG Internet Security 2012 Suite!
    Does prosearching hijacks continue to reoccur?


    Have you knowing setup the following entries or know what any of these sites are for?

    O15 - TRUSTED Zone: *.flingstone.com
    O15 - TRUSTED Zone: *.i-lookup.com
    O15 - TRUSTED Zone: *.offshoreclicks.com
    O15 - TRUSTED Zone: *.teensguru.com
    O15 - TRUSTED Zone: *.xxxtoolbar.com

    Verify that the following entry is from your ISP or other known source:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{AB1EA8EC-8A39-40DA-B0DE-2A98B09C328D}: NameServer = 10.171.5.5,0.0.0.0

    (source location is California, USA)




    Download the latest version of CWSHredder to your desktop from here:
    http://cwshredder.net/bin/CWShredder.exe

    Run this application, initially, ONLY to search for UPDATES.
    You may have to do this on another PC - it simply downloads the latest EXE and overwrites the current one (512K).





    Please download, install, update and scan your system with the free (trial) version of Ewido TROJAN scanner
    [Developed for Windows 2000 and XP]:
    1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
    3. From the main ewido screen, click on update in the left menu, then click the Start update button.
    4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
    5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
    6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread.
    Note: Ewido is a free trial product for 14 days. Since Ewido is a trial version, the realtime guard and automatic update will stop functioning after 14 days. We are not installing the guard because it might interfere with the cleanup or the malware removal process. You can use Ewido as an on-demand scanner (recommended) but you will have to manually update the definition file each time you scan. If you decide to purchase Ewido, you can enable the 'Realtime Protect' and 'Automatic Update' functions by clicking on the 'Status' bar (Top left) and clicking on both items under "Your Security Status".





    SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).


    Next, run CWShredder
    -Click on the: ‘Fix’ button
    -Follow the prompts, and press OK



    POST A REVISED HIJACKTHIS LOG for review:
    Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.
+ Reply to Thread
« Hijackthis Help | Ewido Problem (RESOLVED) »