• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
chimaera

prosearch homepage & toolbar

10 posts in this topic

Hi. Although my main problem is that my homepage is set to prosearching.com and that I have a shitty toolbar permanently locked onto IE, I have another issue first.

 

I have HJT, but it won't run. This is also happening with a pop-up stopper, and even task manager. It is an odd thing because most of my other programs work and load ok. I know I have fairly low memory for using XP (256) but this has never been a problem before. So, my first question is - what's going on here?!

 

Secondly is the main reason for my post. I started windows in safe mode and ran HJT. Here is the log:

 

Logfile of HijackThis v1.97.7

Scan saved at 21:23:07, on 26/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINXP\System32\smss.exe

C:\WINXP\system32\winlogon.exe

C:\WINXP\system32\services.exe

C:\WINXP\system32\lsass.exe

C:\WINXP\system32\svchost.exe

C:\WINXP\system32\svchost.exe

C:\WINXP\Explorer.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index....w.google.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {CDDACE1D-4463-96E8-6A46-DE027E40887A} - C:\PROGRA~1\SECTME~1\size noun.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx

O3 - Toolbar: Pile Bold 2 - {C0EB8BF3-9214-2FD9-5C34-C245E96ACD5E} - C:\PROGRA~1\SECTME~1\size noun.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Pure Trans] C:\PROGRA~1\thewipe\modestylemeet.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

 

 

I am hoping one of you can help me out =0)

 

I run Avast anti-virus (even though it slows things down!), I use Adaware, Spybot and Privacy Guardian in a vain attempt to stay clear of malaware. I also have CWS Shredder which I have scanned with too.

 

Is there anything else I can do to stop this happening again in the future?!

 

Many thanks for anyone that can help!

Share this post


Link to post
Share on other sites

Chimaera

 

Have you run Trendmicro virusscan recently?

 

Also download The Cleaner trojan scanner and let it do a scan.

 

Fix from Hijack This (some may already have been fixed by the scan):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index....w.google.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

O2 - BHO: (no name) - {CDDACE1D-4463-96E8-6A46-DE027E40887A} - C:\PROGRA~1\SECTME~1\size noun.dll

O3 - Toolbar: Pile Bold 2 - {C0EB8BF3-9214-2FD9-5C34-C245E96ACD5E} - C:\PROGRA~1\SECTME~1\size noun.dll

O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe

O4 - HKLM\..\Run: [Microsoft System Checkup] wnetmgr.exe

O4 - HKLM\..\RunServices: [Microsoft System Checkup] wnetmgr.exe

 

Do a search for wnetmgr.exe on disk and delete it.

Delete all files in folder C:\PROGRA~1\SECTME~1 and the folder itself.

 

If necessary do the above operations in Safe Mode.

 

After that update Windows XP with Service Pack I from MS Update Page.

_______

Wiskonst

Share this post


Link to post
Share on other sites

Wiskonst, thank you so much for helping me out. My PC was becoming unusable! Doing the above seems to have sorted the problems. Here is a new HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 17:45:12, on 29/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINXP\System32\smss.exe

C:\WINXP\system32\winlogon.exe

C:\WINXP\system32\services.exe

C:\WINXP\system32\lsass.exe

C:\WINXP\system32\svchost.exe

C:\WINXP\System32\svchost.exe

C:\WINXP\system32\spoolsv.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINXP\Explorer.EXE

C:\WINXP\System32\ctfmon.exe

C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

C:\PROGRA~1\thewipe\modestylemeet.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\The Cleaner\tca.exe

C:\Program Files\The Cleaner\tcm.exe

C:\HJT\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [Pure Trans] C:\PROGRA~1\thewipe\modestylemeet.exe

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8133.5747916667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

 

 

The only one I was unsure about is:

C:\PROGRA~1\thewipe\modestylemeet.exe

 

Is that something dodgy?

 

Also for some reason I can't run the Trend Micro scan - it always comes up with some error reading the file.

 

The problem of being able to run programs such as HJT seems to have been fixed for now.

 

Thanks again for your help!

Share this post


Link to post
Share on other sites

Chimaera

 

Can you uninstall Panicware Popupstopper, then run CWShredder in Safe Mode and fix in Hijack This (also in Safe Mode):

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/index....w.google.co.uk/

 

Also disable Privacy Guardian when fixing with CWShredder and HJT, and any other page monitor that might be running.

 

Further could you have a look for strange icons on your desktop?

 

If you did not install C:\PROGRA~1\thewipe\modestylemeet.exe

yourself, remove it (fix the line in HJT and delete all files in folder C:\PROGRA~1\thewipe as well as the folder itself).

_______

Wiskonst

Share this post


Link to post
Share on other sites

Okay, I did the above and here is my new HJT log:

 

Logfile of HijackThis v1.97.7

Scan saved at 21:39:04, on 29/05/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINXP\System32\smss.exe

C:\WINXP\system32\winlogon.exe

C:\WINXP\system32\services.exe

C:\WINXP\system32\lsass.exe

C:\WINXP\system32\svchost.exe

C:\WINXP\system32\svchost.exe

C:\WINXP\Explorer.EXE

C:\WINXP\system32\NOTEPAD.EXE

C:\HJT\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx

O4 - HKLM\..\Run: [iMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe

O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\System32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

O9 - Extra button: ICQ (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...8133.5747916667

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab

 

I think it looks pretty good myself! Certainly no prosearching.com shit at the moment.

 

Wiskonst, thank you very very very much for sorting this out for me! My girlfriend especially says thanks, as she has to use this PC every day and was getting pretty annoyed!

Share this post


Link to post
Share on other sites

Chimaera

 

Yes the HJT log is clean.

We hope prosearching doesn't return, if so post here again.

 

Clean out the temporary folders:

- C:\Windows\Temp

- C:\Windows\Downloaded Program Files

- C:\Documents and Settings\<name>\Local Settings\Temp

(The last for every user of the PC.)

 

As a general precaution against hijackers we recommend Spywareguard and Spywareblaster (both free). And of course a good firewall (Kerio personal Firewall is free).

 

Good luck

_______

Wiskonst

 

Donate to Spywareinfo

Share this post


Link to post
Share on other sites

Wiskonst, thanks again for your help.

 

However, one very minor niggle remains - these popup windows, which I have been getting forever and none of the adaware or HijakThis logs seem to pick up. Any idea where they are coming from and how I can stop them?

 

popup.jpg

 

Thanks!

Edited by chimaera

Share this post


Link to post
Share on other sites

Chimaera

 

These messages are using a service on your PC called the Windows Messenger Service (not to be confused with MSN Messenger).

 

To disable the service, refer to the instructions on this page.

 

You can disable the service alltogether, but then you would not have it locally either. To block only the popups coming from the internet, you must use a firewall and close some ports. If you want to do that, post back and I will help you.

 

Good luck

_______

Wiskonst

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0