Begin2Search Toolbar Removal Instructions

By SteveO28
Sep 2, 2004
Topic Status:
Not open for further replies.
  1. ALOUSH41

    ALOUSH41 Newcomer, in training

  2. AcA-Morphine

    AcA-Morphine Newcomer, in training

    No mate ive tried, ive tried Adaware, s&d, erm spysweeper lol

    i dont know what in my log is safe to delete? Also how to do it whether to do it in safe mode with hidden folders showing or what?? im confused :knock:
  3. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Welcome to TechSpot

    Download and install the following 4 programs, each in their own permanent directory:
    Spybot S&D http://www.safer-networking.org , let it "immunise" your PC, takes only a few seconds.
    Adaware Personal SE http://www.lavasoftusa.com
    HijackThis http://www.tomcoyote.org/hjt/
    CWshredder http://www.spywareinfo.com/~merijn/downloads.html

    Before running any of the above, always make sure you have the latest program-versions,
    and do an online-update in Adaware and Spybot for the latest definitions.

    Reboot in Safe Mode (press F8 a few times upon booting).
    If you have "BeginToSearch" etc. run CWShredder first and let it fix whatever it can.
    If not, run Adaware, then Spybot. Let them each fix whatever they can.
    Then reboot again in Safe Mode.


    I don't know what else is in this directory RDSA, but it looks very suspicious!
    C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll

    Now run Hijackthis with NO other programs open. Let it "fix" the following:
    (some might have gone already through Adaware, Spybot and CWShredder)

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.my.yahoo.com/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qgb8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qgb8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qgb8.hpwis.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qgb8.hpwis.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qgb8.hpwis.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\system32\winb2s32.dll
    O2 - BHO: Xbrowse Class - {83DC91DB-7896-43E3-B34D-A7D043F16BB1} - C:\Documents and Settings\All Users\Application Data\RDSA\rdsa.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O2 - BHO: Xbrowse Class - {CE7EF827-47CC-48EB-B570-C367F1E1277E} - C:\Documents and Settings\All Users\Application Data\x1ff\x1ff.dll
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\system32\winb2s32.dll
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
    O16 - DPF: ChatSpace Full Java Client 3.1.0.235 - http://chat-a4.freeserve.com/Java/cfs31235.cab
    O16 - DPF: ChatSpace Full Java Client 3.1.0.245 - http://chat-a3.freeserve.com/Java/cfs31245.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab28578.cab
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23569c1fee78256cc122/netzip/RdxIE601.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - http://register.btinternet.com/templates/btmailcontrol013.cab
    O16 - DPF: {77460D96-3DB1-11D6-B121-004005E35DF1} (Ctrl_ibi Control 1.4) - http://software.ibi-tec.net/ibi-xs.ocx
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://217.73.66.1/del/loader.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.dll
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB
    O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/eng/SysWebTelecomint.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/12119/CTPID.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab27571.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FF4FD95-ACA0-4400-A320-577A312CE1C8}: NameServer = 194.72.9.38 194.74.65.69
  4. AcA-Morphine

    AcA-Morphine Newcomer, in training

    Thanks a million RealBlackStuff !!

    All sorted i think, all the annoying links within certain words seem to be gone mate.

    Thankyou very much, ive put up the new log that i now have, hopefully back to how it should be i hope :)
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Looks clean, except one.

    Download and run:

    http://cexx.org/lspfix.htm

    Now use these instructions to remove the bad DLL:

    1. Run LSPFix.
    2. Check 'I know what I'm doing'.
    3. Select 'xfire_lsp_8742.dll'.
    4. Click the right-pointing arrow (moves it to the "remove" page).
    5. Click 'Finished'.
    6. Restart your computer in "Safe Mode" (F5 or F8 when starting Windows).
    7. Delete the following file: 'xfire_lsp_8742.dll'
    8. Restart your computer and bring it up in normal mode.
  6. arrhyth

    arrhyth Newcomer, in training

    Begin2Search Help

    Help! I seem to have gotten rid of the toolbar- but there is a remaining problem. Some words are highlighted green and turned into a link. What should I delete to get rid of that?

    Here's my hijack this log. God bless the kind soul who helps me!

    Logfile of HijackThis v1.97.7
    Scan saved at 11:00:26 PM, on 11/23/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\ACER\SNAPSHOT\ACERTMB.EXE
    C:\WINDOWS\SYSTEM\AALVOL.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\WINPOET BROADBAND CONNECTION\WINPPPOVERETHERNET.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
    C:\WINDOWS\JAMMER2ND.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-US\MSNAPPAU.EXE
    
    iˆýfLøfP‘
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE
    C:\PROGRAM FILES\XOFTSPY\XOFTSPY.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\SYSTEM\DSKTRF.DLL
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [MAGICKB] MagStart.exe
    O4 - HKLM\..\Run: [AspireTimeMachine] c:\windows\acer\snapshot\acertmb.exe
    O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [System MScvb] C:\WINDOWS\MSCVB32.EXE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Kernel32] C:\WINDOWS\SYSTEM\Kernel.dll
    O4 - HKLM\..\Run: [SystemSearch] REGEDIT.EXE -S c:\ie.reg
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [Jammer2nd] C:\WINDOWS\Jammer2nd.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
    O4 - HKLM\..\Run: [jtfufya] C:\WINDOWS\SYSTEM\rwyncm.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [MsnMsgr] "c:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [System MScvb] C:\WINDOWS\MSCVB32.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.communities.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {0FC64BDC-D14D-4F04-802D-4B9104DF16FB} (SystemCheck Class) - http://www.singnet.com.sg/technical/helptools/pc-check/media/ALTControl.cab
    O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
  7. JBC02816

    JBC02816 Newcomer, in training

    undefinedundefinedundefined

    Please Help!

    This Begin2search tool bar is driving me crazy. I have run Saybot, Ad-Aware SE, and deleted out the RO & RI lines using HJT: McAfee doesn’t touch it and every time I write them I get no response. I also have SpyNuker installed and this do not pick up on this toolbar either.
    It seems to come back every day and I go through the same process at least once a day trying to eliminate it. I have not eliminated the pop ups either.

    At this point I am not sure what else to delete. Can you recommend anything I should remove off the log?

    Logfile of HijackThis v1.98.2
    Scan saved at 11:03:54 AM, on 11/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MP3Downloading\bindata.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINNT\system32\ntvdm.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\Microsoft Works\MSWorks.exe
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 38 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\System32\dsktrf.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\MP3Downloading\bindata.exe" -tray
    O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
    O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\WNW.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
  8. Electrick Gypsy

    Electrick Gypsy Newcomer, in training Posts: 89

  9. JBC02816

    JBC02816 Newcomer, in training

    begin2search S\\\\

    Thanks for your input. I review the information on that site and check it against my computer, only a couple of them were listed:
    killinternet ops.ico
    kill all spyware2123.ico
    ke612.ico
    ceditcard12-ico
    kxp312.ico

    I deleted those but this did not seem to resolve the issue of the begin2search toolbar reappearing in the HJT or the highlighting, which means that this is still with me.

    Here is my log again:

    Logfile of HijackThis v1.98.2
    Scan saved at 1:54:59 PM, on 11/26/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    c:\progra~1\mcafee.com\vso\mcvsescn.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINNT\GWMDMMSG.exe
    C:\WINNT\System32\CTHELPER.EXE
    C:\Program Files\PhoneTools\CapFax.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Microsoft Money\System\mnyexpr.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\MP3Downloading\bindata.exe
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\WINNT\System32\NMSSvc.exe
    C:\WINNT\System32\nvsvc32.exe
    C:\Program Files\Kerio\Personal Firewall\persfw.exe
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
    c:\progra~1\mcafee.com\vso\mcvsftsn.exe
    C:\WINNT\system32\ntvdm.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
    c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    C:\WINNT\System32\taskmgr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 40 for hijackthis.zip\HijackThis.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\System32\dsktrf.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
    O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\MP3Downloading\bindata.exe" -tray
    O4 - Startup: Registration-Studio 8.lnk = C:\Program Files\Pinnacle\Studio 8\Register\RegTool.exe
    O4 - Startup: WNW.lnk = C:\Program Files\Accent\WNW\WNW.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/asp/cx_tgctlcm.jsp
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
    O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
    O16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://D:\content\include\XPPatchInstaller.CAB
    O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://D:\Content\include\msSecUcd.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4367/mcfscan.cab


    JBC
  10. peterson2k4

    peterson2k4 Newcomer, in training

    begin2search issue

    I got rid of the toolbar but, I still have those annoying text links that redirect me to...Begin2Search.com. Please review my hJT report and tell me what to do. you are my lst hope before reformating...again!

    Logfile of HijackThis v1.97.7
    Scan saved at 2:00:21 PM, on 11/26/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    C:\Program Files\Washer\washer.exe
    C:\WINDOWS\SmcSVR.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\peterson2k4.YOUR-6KR4ZXLD90\Local Settings\Temporary Internet Files\Content.IE5\WDG1C3AN\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.e4me.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\RunServices: [SmcSVR] C:\WINDOWS\SmcSVR.exe
    O4 - HKCU\..\Run: [Washer] C:\Program Files\Washer\washer.exe /0
    O4 - HKCU\..\Run: [SmcSVR] C:\WINDOWS\SmcSVR.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I plead with all of you to guide me out of this begin2search hell.
  11. AcA-Morphine

    AcA-Morphine Newcomer, in training

    Hello again guys. Problem not me this time lol, i have a friend she would have posted herself but is having loads of problems, just thought we'd try here first.

    Ran a number of programs cleaning it up while in safe mode, just thought id see what sort of responce we get with her log that i have included, this log was taken in normal mode thought not safe, any help will be greatly appreicated.

    thankyou

    Morphine
     
  12. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    For ALL of you, read my "Sticky" at the top of the "Windows" forum.
    There is loads of new information in it!
    Do what it says there first, then follow the instructions here.

    For Arrhyth:
    Have HJT fix:
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\SYSTEM\DSKTRF.DLL
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [jtfufya] C:\WINDOWS\SYSTEM\rwyncm.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    and all your O16 entries


    For JBCO2816:
    This is questionable: C:\Program Files\MP3Downloading\bindata.exe
    Uninstall: O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe

    Have HJT fix:
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rhodeisland.cox.net/
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINNT\System32\dsktrf.dll
    and all your O16 entries


    For Peterson2K4:
    You irresponsible *****, get some Antivirus program installed pronto!

    Unless this is the Chess-program, uninstall anything to do with:
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe

    Have HJT fix:
    C:\WINDOWS\SmcSVR.exe
    O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O4 - HKLM\..\RunServices: [SmcSVR] C:\WINDOWS\SmcSVR.exe
    O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com
    and all your O16 entries


    For AcA-Morphine:
    See the special instructions for:
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing

    Have HJT fix:
    C:\Program Files\Winamp\winampa.exe
    C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    C:\WINDOWS\dhbrwsr.exe
    C:\Program Files\Web_Rebates\WebRebates0.exe
    C:\WINDOWS\dhsvr.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50135
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50135
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50135
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
    O2 - BHO: E.HH - {9E992732-295F-4987-8BE3-16FAC1639198} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.dll (file missing)
    O2 - BHO: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
    O3 - Toolbar: zSearch Bar - {5886A6DC-AAF4-45E9-979A-8E5E6DEE30E7} - C:\Program Files\zSearch\zSearch.dll
    O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
    O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
    O4 - HKLM\..\Run: [DealHelperBrwsr] C:\WINDOWS\dhbrwsr.exe
    O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msgked.exe
    O4 - HKCU\..\Run: [\IEService.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\IESERV~1\IEService.exe
    O4 - HKCU\..\Run: [zSearch] C:\Program Files\zSearch\Zstb.exe
    O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
    O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    and all your O16 entries

    I am not sure if it is worth it to fix this PC. It might be better to reinstall from scratch.
    Please give me an honest answer: WHEN was this Avast AV installed, BEFORE or AFTER this deluge of spyware?
    (I would say AFTER, but if BEFORE, get rid of it and replace with something else). Give me the answer anyway, please!
  13. djleyo

    djleyo Newcomer, in training Posts: 46

    god help me!!!!

    i cant remove this hijack begin 2 search i have this log
  14. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    See Julio's answer underneath,
    his is much nicer than my original text! (that I just wiped)
  15. Julio Franco

    Julio Franco TechSpot Editor Posts: 6,511   +308

  16. AcA-Morphine

    AcA-Morphine Newcomer, in training

    Thanks for the responce RealBlackStuff, jesus theres alot on there.

    i spoke to her regarding the Avast and she seems to think its been on there since September. Would u advise to get a new one then mate?
  17. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Before I answer to that, I need to know how religiously that PC's AV is updated, what are the browsing habits (downloading MP3 and stuff?).
    I heard good things about Avast, supposedly better than the free AVG, but I am not sure now.
    I use Extendia AVK Pro, and have not seen a virus in years.
  18. flamingshadow

    flamingshadow Newcomer, in training

    After reading this thread, I tried to remove the begin2search toolbar by myself. I sucedded in removing the toolbar but the "Page cannot be displayed" page is still the begin2search one. Can anyone help me here? Thanks.

    I attached my log (This board would not let me post for some reason, url's or something)
     
  19. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Flamingshadow

    Welcome to TechSpot

    First off, go here and follow EXACTLY as it says there.
    http://www.techspot.com/vb/topic17297.html
    Note the part about 'xfire_lsp...' at the bottom as well.

    Also, your AVG6 will expire at the end of this year. Replace it with the (free) AVG7.
    When updated, run a full scan of your system.

    On of the following files is the official one, you will need to compare all of these with your original CD to establish which one is the "goodie". You may have the "Sircam" virus.
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\rundll32.exe

    After you have done as instructed in above post, Run your UPDATED HJT on its own in Safe Mode and "fix" all of these, if any are still left after Adaware, Spybot and co.:

    C:\WINDOWS\kdx\KHost.exe
    C:\WINDOWS\system32\svchost32.exe
    C:\WINDOWS\system32\NotifyPhoneBook.exe
    C:\Program Files\Windows AdControl\WinAdCtl.exe
    C:\Program Files\Windows AdControl\WinAdAlt.exe
    C:\Program Files\Greetings Workshop\GWREMIND.EXE
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\system32\cidaemon.exe

    O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\svchost32.exe"
    O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
    O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
    O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
    O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...f43bd50bd95d:dbe19f2b9f6e79fd1e76de901b6c1e8b
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1079102657625
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...le.com/saba/us/win/QuickTimeFullInstaller.exe
    O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37842.8861458333
    O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B819A037-7A70-4442-9196-34658C86BFD7}: NameServer = 165.21.100.88 165.21.83.88
  20. Il0ki

    Il0ki Newcomer, in training

    begin2search headeach

    Hi guys

    I am trying to post my results from HiJackThis but I get an error "Your Post contains one or more URLs, please remove them before submitting your message again."

    Any ideas?

    Thanks

    :hotbounce
  21. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Click on "go advanced" when you post, and send your HJT-log as an attachment, e.g. "hijackthis.txt"
    Do NOT use the ZIP-format.
  22. Il0ki

    Il0ki Newcomer, in training

    Can you help?

    I attached the file

    Can you let me know what I still have after running Ad-Aware and Spybot?

    Thanks in advance
  23. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Iloki

    Run HJT standalone in Safe Mode and let it "fix":

    C:\Program Files\Winamp3\winampa.exe
    C:\WINNT\loadqm.exe
    C:\WINNT\System32\pngcm.exe

    -- Do you run more than one language on your PC? (like switching keyboard-language)
    -- If not, this needs to be "fixed" as well:
    C:\WINNT\System32\internat.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R3 - Default URLSearchHook is missing
    O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
    O4 - HKLM\..\Run: [aihwbqf] C:\WINNT\System32\acjctp.exe
    O4 - HKCU\..\Run: [ZEv2RXKpW] pngcm.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab

    At the end, delete all the files thate were "fixed".
  24. djleyo

    djleyo Newcomer, in training Posts: 46

    this worked

    since begintosearch is an old malware***i got slammed by this one ***the hay to remove it is by using hijackthis ***and downloading the yahoo toolbar with anti-spyware ****this anti spyware removed all traces of begintosearch
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.