|
| ||
| hijacked web browser (prosearching.com) my home page has been taken over by "prosearching.com", which is reset as my home page after every reboot. a separate search toolbar also pops up and everytime i do a google search, internet explorer's search function gets turned on but it looks like a search engine for something other than IE's search. i ran adaware and after deleting the files that it recognized now get an error message after rebooting that says "error loading C:\\WINDOWS\CRPI.DLL" here is my log from hijackthis - please help: Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SA3DSRV.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PTUDFAPP.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE C:\COMPAQ\INTERNET\CISRVR.EXE C:\CPQS\BWTOOLS\BWTRAY.EXE C:\WINDOWS\SYSTEM\CPQPSCP.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE C:\PROGRAM FILES\STORE WAIT\WINDOWBUILDFOUR.EXE C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE C:\WINDOWS\SYSTEM\SYSTEM.EXE C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE C:\CPQS\BACKWEB\PROGRAM\BACKWEBXID.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\AD-AWARE.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1033\95\MAPISP32.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough/...www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer N1 - Netscape 4: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Program Files\Netscape\Users\anish1\prefs.js) O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSLR\MSLR32.DLL (file missing) O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSLR\ATLRB.DLL (file missing) O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSLR\NETGO.DLL (file missing) O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing) O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL (file missing) O2 - BHO: (no name) - {961EAEA4-B083-917C-90C8-B4A950BA8D56} - C:\PROGRAM FILES\INSIDESECTBONE\JUNKTRAY.DLL (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch O4 - HKLM\..\Run: [WinampAgent] C:\PROGRAM FILES\WINAMP\winampa.exe O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\CRPI.DLL,Install O4 - HKLM\..\Run: [Send Download] C:\PROGRA~1\Store Wait\Windowbuildfour.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe O4 - HKLM\..\RunServices: [ConfigServices] C:\CPQS\TOOLS\CONFIG.EXE O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [Desktop Weather] C:\PROGRA~1\THEWEA~1\TheWea~1.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\SYSTEM.EXE O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\CRPI.DLL,Install O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM) O9 - Extra button: Translate (HKLM) O9 - Extra 'Tools' menuitem: AV &Translate (HKLM) O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM) O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe |
| ||
| Re: hijacked web browser (prosearching.com) Hi.. i suggest you download Webroot spy sweeper this program will detect when your browser is been hijacked and it will stop it from happening, plus, spy sweeper will detect and remove all the spyware which adaware cant! Once you have run spy sweeper change your homepage back to what you want! Lee. |
| ||
| Re: hijacked web browser (prosearching.com) Reboot into safe mode following the instructions here & Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or directly on the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked' : R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://prosearching.com/passthrough.../www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#10213 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#10213 O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\WINDOWS\APPLICATION DATA\MSLR\MSLR32.DLL (file missing) O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\WINDOWS\APPLICATION DATA\MSLR\ATLRB.DLL (file missing) O2 - BHO: ShowSearch module - {E2DDF680-9905-4dee-8C64-0A5DE7FE133C} - C:\WINDOWS\APPLICATION DATA\MSLR\NETGO.DLL (file missing) O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing) O2 - BHO: (no name) - {4BCF322B-9621-4e90-9678-F1424EB7584E} - C:\WINDOWS\UDPMOD.DLL (file missing) O2 - BHO: (no name) - {961EAEA4-B083-917C-90C8-B4A950BA8D56} - C:\PROGRAM FILES\INSIDESECTBONE\JUNKTRAY.DLL (file missing) O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\CRPI.DLL,Install O4 - HKLM\..\Run: [Send Download] C:\PROGRA~1\Store Wait\Windowbuildfour.exe O4 - HKCU\..\Run: [ssgrate.exe] C:\WINDOWS\SYSTEM\SYSTEM.EXE O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\CRPI.DLL,Install O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\MAIN.MHT!http://d.dialer2004.com//paxan/main.chm::/load.exe Go to & delete the following: C:\PROGRA~1\Store Wait< folder C:\WINDOWS\SYSTEM\SYSTEM.EXE< file Please go here & install ALL critical updates required for your system. Reboot normally after doing the above then post a fresh log plz. |
| ||
| Re: hijacked web browser (prosearching.com) Norton reports a virus when i click on the reply /quote to XXplosive's post above ,Be careful . |
| ||
| Re: hijacked web browser (prosearching.com) Followed all the above steps and everything seems to be back to normal. Thank you! Here is the latest log - please let me know if it looks okay or if further steps are needed. Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SA3DSRV.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\WINDOWS\SYSTEM\PTUDFAPP.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\MOUSE\SYSTEM\EM_EXEC.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\CPQEADM.EXE C:\COMPAQ\INTERNET\CISRVR.EXE C:\CPQS\BWTOOLS\BWTRAY.EXE C:\WINDOWS\SYSTEM\CPQPSCP.EXE C:\WINDOWS\SYSTEM\QTTASK.EXE C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE C:\PROGRAM FILES\WINAMP\WINAMPA.EXE C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE C:\PROGRAM FILES\EXIF LAUNCHER\QUICKDCF.EXE C:\PROGRAM FILES\COMPAQ\EASY ACCESS BUTTON SUPPORT\BTTNSERV.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\CPQS\BACKWEB\PROGRAM\BACKWEBXID.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\1033\MSOFFICE.EXE C:\PROGRAM FILES\COMPAQ\ON-SCREEN DISPLAY\OSD.EXE C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE C:\MY DOCUMENTS\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presario.net/scripts/r...s=search&i=enu R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.presario.net/scripts/r...s=search&i=enu R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer N1 - Netscape 4: user_pref("browser.startup.homepage", "www.yahoo.com"); (C:\Program Files\Netscape\Users\anish1\prefs.js) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe O4 - HKLM\..\Run: [EACLEAN] C:\Program Files\Compaq\Easy Access Button Support\eaclean.exe O4 - HKLM\..\Run: [Aureal A3D Interactive Audio Init] A3dInit.exe O4 - HKLM\..\Run: [Compaq Internet Setup] C:\Compaq\Internet\InetWizard.exe /RUN O4 - HKLM\..\Run: [CISrvr Program] C:\COMPAQ\INTERNET\CISRVR.EXE O4 - HKLM\..\Run: [Service Connection] c:\cpqs\bwtools\bwtray.exe O4 - HKLM\..\Run: [OEMCLEANUP] c:\windows\OPTIONS\oemreset.exe O4 - HKLM\..\Run: [CompaqSysTray] cpqpscp.exe O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [WinampAgent] C:\PROGRAM FILES\WINAMP\winampa.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [Aureal A3D Interactive Audio] sa3dsrv.exe O4 - HKLM\..\RunServices: [ConfigServices] C:\CPQS\TOOLS\CONFIG.EXE O4 - HKLM\..\RunServices: [HC Reminder] hc.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe O4 - HKCU\..\Run: [Desktop Weather] C:\PROGRA~1\THEWEA~1\TheWea~1.exe O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE O4 - Startup: Zip Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Exif Launcher.lnk = C:\Program Files\Exif Launcher\QuickDCF.exe O8 - Extra context menu item: AltaVista Home - http://jump.altavista.com/avie5/home O8 - Extra context menu item: AV Search This Term - http://jump.altavista.com/avie5/search O8 - Extra context menu item: AV Translate this Web Page - http://jump.altavista.com/avie5/babelfish O8 - Extra context menu item: AV Translate Selection - http://jump.altavista.com/avie5/babelfish O9 - Extra 'Tools' menuitem: &AltaVista Home (HKLM) O9 - Extra button: Translate (HKLM) O9 - Extra 'Tools' menuitem: AV &Translate (HKLM) O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM) O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM) O9 - Extra button: Real.com (HKLM) O9 - Extra button: Net2Phone (HKLM) O9 - Extra 'Tools' menuitem: Net2Phone (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB |
| ||
| Re: hijacked web browser (prosearching.com) Good job! Looks like you got it all. |
| ||
| Re: hijacked web browser (prosearching.com) Thanks for the great help! |
| ||
| Re: hijacked web browser (prosearching.com) You are welcome. Marking this as solved. Others with similar problems, please start your own thread. Thank you. |
| All times are GMT -4. The time now is 4:23 am. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC