Does anyone know about "prosearching.com"?

[bonvie]

http://lop.com/help.html#how

I found it here scroll to bottom and follow instructions.  It is not on my toolbar anymore

[stevejrc]

IE-SPYADS is good, its freeware that adds a huge list of sites to IE restricted sites zone, prosearching.com is included.. Updated frequently too.

http://www.staff.uiuc.edu/~ehowes/resource.htm#IESPYAD

Spyware blaster is good to, but the above has loads more sites.

[BKB]

I have the prosearch problem...help

[waiknot]

Thank you its gone. this company needs to be sorted for sending this crap

[Dawn77]

well, thanks to this info now I know what I can do to fix this problem ........ My computer is 1 week old today and I already have this shit on it! I am sorry that everyone had to deal with this crap too, but because you did now I can fix mine.

[chipper134]

I am having the same problem, I have tried symantec AD-aware,spybot and several others.  They seem to work for about an hour and then the tool bars and files appear again.  If you find an answer please e-mail me at chipper1134x4@yahoo.com.  I also have had issues logging into my yahoo account.  I have been directed into other peoples accounts randomly, and woder if this is related.  Have you had the same issue?  Beleive it or not yahoo does not seem interested in helping to resolve this.

[bholowach]

THANK YOU

Its Gone

[McPhee]

I tried ad-ware and spybot, but to no avail. Found this site and got rid of it in seconds by following the link to lop.com.

Thanks Bonvie!!  

[peoplerunfromme6]

i also have been hijacked by this "prosearching" dealie. it happened right after i installed, updated and ran Spybot and Adaware!!! It really sucks, cause i love Google and hate spyware. im the kinda person who would wear an aluminum hat to stop ppl from looking @ his brain. anyway, i looked @ a lot of threads here and @ other sites and figured i might as well post a hijackthis log. well..umm...here:

Logfile of HijackThis v1.97.7
Scan saved at 4:23:55 PM, on 3/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\teststupidokay\up cdrom loud.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\Local Settings\Temp\Temporary Directory 1 for hijackthis1977[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://prosearching.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [EPSON Stylus C84 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2D1.EXE /P23 "EPSON Stylus C84 Series" /O6 "USB001" /M "Stylus C84"
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [thunklogo] C:\PROGRA~1\teststupidokay\up cdrom loud.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {CEFB7B49-9652-464F-8AFD-A577C0500F39} (EGP2ECOM Class) - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1004a_pack_XP.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Shade]

To everybody,
After two weeks of struggle I finally managed to eradicate Prosearching from my PC. I will explain you how to get rid of it.

You have surely noticed that even if your Antivirus got rid of the trojan (Norton Antivirus Professional 2004 told me that the exe responsible is SAVENOW.EXE), your start page remains Prosearching/blahblah...

BUT I have located another exe that causes your start page to change. I have found it by exclusion. The name of the exe is OBJAIM.EXE (its icon represents a money pouch). If you don't believe me, try by yourselves and see your task manager: you will find it there among your processes.

You could not consider OBJAIM.EXE as a threat because if you right-click on it calling its properties, you will notice that the date of creation is different from the date in which you have been infected.

If you should have any doubts you can launch MSCONFIG, uncheck OBJAIM.EXE  from the automatic execution and restart your computer. When you return on MSCONFIG pane you will notice that another OBJAIM instance has been created, and this IS checked.

My previous attempts of getting rid of Prosearching start page failed because I have tried to manually delete the registry keys created by this malware, but I had not noticed an important fact: the keys were respawn after one minute of two! The registry keys are:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Search Page    http//prosearching.com/searchbar.html
Start Page       prosearching.com
Start Page       http//prosearching.com/passthrough/index.html?http://

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
SearchAssistant   http//prosearching.com/searchbar.html

Do not bother deleting them 'cause, like I said, they are re-generated after a few minutes.

Looking at these keys I have realized is another thing. There are MULTIPLE start pages and the malware cycles between them while your pc is active. That's why you see alternatively:

PROSEARCHING.COM
PROSEARCHING
PROSEARCHING/PASSTHROUGH/.../youroriginalstartpage.

That's all I have discovered. I hope these information would be useful. One last thing: please forgive me for my english but I am Italian.