Begin2Search

[keri4444]

Hey I am kind of new to this but I ran hijack this and here is what it says. I have that begin2click tool bar thing and random words are being highlighted. Please help!! Thanks so much.

Logfile of HijackThis v1.98.2
Scan saved at 2:47:15 PM, on 9/26/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\HPZipm12.exe
C:\WINNT\Explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\loadqm.exe
C:\WINNT\loadqm.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINNT\System32\hphmon05.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Zedd4Proj.clsUnoOne - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINNT\System32\AANTX.dll
O2 - BHO: (no name) - {1DBA51A4-C06D-3BCC-EFDB-5CB53B19EB4E} - C:\WINNT\Fpjlyhkm.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\system32\winb2s32.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Search - {63B1F3C6-3988-E43A-A42C-D026E78C50F6} - C:\WINNT\Fpjlyhkm.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\system32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [lwrgf] C:\WINNT\lwrgf.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [vqyifdbus] C:\WINNT\System32\ffgwvp.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Keri\Application Data\DownloadPlus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

 

[MrGaribaldi]

:wave: Hello & Welcome to TechSpot :wave:

I'm not sure I've found all, but these should be removed:

• R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
• R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
• R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
• R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
• R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
• R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
  
• O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
• O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)

I'd probably add these, but not sure so back them up before you do anything

• O2 - BHO: (no name) - SOFTWARE - (no file)
• O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
• O2 - BHO: (no name) - {1DBA51A4-C06D-3BCC-EFDB-5CB53B19EB4E} - C:\WINNT\Fpjlyhkm.dll
• O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
• O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
• O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll

I'm sure there's more that I missed, but hopefully someone else will remedy that.
(You can also check by searching for each filename on google and see what results you get.)

 

[RealBlackStuff]

Mr G got some, but not all.

Start with uninstalling DownloadPlus, it is adware.
When finished with HijackThis, D/L and install the free and ad-free Stardownloader from www.stardownloader.com instead.

This is the list of things to get rid of.
Boot into Safe Mode (press F8 a few times at startup).
Without any other programs open , run HJT, then mark all the leftovers underneath, and click on "Fix marked".

Reboot into normal mode, D/L and install both Adaware Personal SE and Spybot S&D. Do a program-update for new definition-files first on each. Let Spybot "immunise" your system.
Run these 2 programs at least once a week in the future, always after doing an update first.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: Zedd4Proj.clsUnoOne - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - C:\WINNT\System32\AANTX.dll
O2 - BHO: (no name) - {1DBA51A4-C06D-3BCC-EFDB-5CB53B19EB4E} - C:\WINNT\Fpjlyhkm.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\system32\winb2s32.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
O3 - Toolbar: Search - {63B1F3C6-3988-E43A-A42C-D026E78C50F6} - C:\WINNT\Fpjlyhkm.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\system32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [lwrgf] C:\WINNT\lwrgf.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [vqyifdbus] C:\WINNT\System32\ffgwvp.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKCU\..\Run: [msmc] C:\WINNT\System32\msmc.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Keri\Application Data\DownloadPlus.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

 

[keri4444]

Thanks for the help.

How do I get rid of DownloadPlus....its not on my add/remove programs list??

And also....these wont delete for good off of the Highjack This list. They delete but then when I run the program again, they come back. Any ideas??

O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)

Thanks!

 

[Mictlantecuhtli]

Originally posted by keri4444
How do I get rid of DownloadPlus....its not on my add/remove programs list??

First, make sure it's not running on background (if it is, kill it with Task Manager - ctrl+shift+ESC), then delete it from C:\Documents and Settings\Keri\Application Data.

 

[RealBlackStuff]

You have been hijacked by SpyDeleter, please download CWShredder at http://www.spywareinfo.com/~merijn/files/cwshredder.zip and run it.

SpyDeleter is a derivative of SpyWiper, another piece of crap.
If you are interested, read more about it here:
http://tired-of-spam.home.comcast.net/spydeleter.html