does anyone know about begin2search?

By dp19
Nov 24, 2004
Topic Status:
Not open for further replies.
  1. I had Weatherbug on my pc and made the mistake of clicking on a add on weatherbug. I am now overloaded with spy/adwares. The biggest being from BEGIN2SEARCH. I was trying to do some research on this but I am coming to no luck. No spyware or adware remover I have been able to get will detect this nor will my nortons antivirus. I read that a user used HIJACK THIS program. I was able to remove some of the stuff but not everything. He is my logg. Can someone please let me know what else to remove so I can get rid of this thing for good? I got rid of it being my default search engine but now on every website it takes a while for it to load because BEGIN2SEARCH reviews it and highlights in green key words and makes them searches if I click on them. Thanks everyone for helping and here is the log.


    Logfile of HijackThis v1.97.7
    Scan saved at 1:40:56 AM, on 11/24/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
    C:\Program Files\NavNT\vptray.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\Documents and Settings\Dave\Local Settings\Temp\HijackThis.exe
    :confused:
  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    We need the COMPLETE log to help you.
  3. mindspin

    mindspin Newcomer, in training Posts: 48

    One thing i can recommend after youve solved this problem is start using FireFox. It has got excellent popup blocking features and lots more. Internet Explorer has so many exploits which people can take advantage of...
    www.getfirefox.com

    And if you really want to keep using IE, all I can advice is only visit good websites, no websites about Warez, pronography or anything like that, all they do is install things on your computer which you dont want and dont like.

    ps. My parents pc had windows running first, but i had to get rid of spyware almost daily! I decided to get them Fedora as OS and it works perfectly, no more spyware no more virusses. Works like a breeze.
  4. mindspin

    mindspin Newcomer, in training Posts: 48

  5. dp19

    dp19 Newcomer, in training Topic Starter

    I ran it again and this is the entire log that populates.

    Logfile of HijackThis v1.97.7
    Scan saved at 8:13:06 AM, on 11/24/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Yahoo!\browser\ybrwicon.exe
    C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    C:\PROGRA~1\YAHOO!\browser\ycommon.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
    C:\Program Files\Yahoo!\browser\ybrowser.exe
    C:\Documents and Settings\Dave\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {8A321C7D-9CED-45A8-870D-DAE843A45FD0} - C:\Program Files\Armor2net\Armor2net Personal Firewall\PopUpKiller.dll
    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Armor2net] C:\Program Files\Armor2net\Armor2net Personal Firewall\Armor2net.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb06.exe
    O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
    O10 - Unknown file in Winsock LSP: c:\program files\armor2net\armor2net personal firewall\netdog.dll
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/108b357a0551e449b403/netzip/RdxIE601.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38200.0322337963
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/controls/GDI/0/GDIChk.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab



    thanks for any help.
  6. i_need_answers

    i_need_answers Newcomer, in training Posts: 144

    try this

    try this go to control panel then do add/remove programs. maybe this will work I downloaded something that included begin2search in the package and It had a little toolbar at the bottom of my monitor.I did this and it worked for me don't no if this will work for you though.
    hope this works.
  7. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Welcome to TechSpot

    Download and install the following 4 programs, each in their own permanent directory:
    Spybot S&D http://www.safer-networking.org , let it "immunise" your PC, takes only a few seconds.
    Adaware Personal SE http://www.lavasoftusa.com
    HijackThis http://www.tomcoyote.org/hjt/ your version is outdated!
    CWshredder http://www.spywareinfo.com/~merijn/downloads.html

    Before running any of the above, always make sure you have the latest program-versions,
    and do an online-update in Adaware and Spybot for the latest definitions.

    Make sure that in Explorer, the option to "show all files and folders, including hidden and system" is turned on.
    See here how to do that: http://www.bleepingcomputer.com/forums/tutorial62.html

    Reboot in Safe Mode (press F8 a few times upon booting).

    Uninstall Freescan
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan

    Empty the Temp folders especially
    C:\Documents and Settings\{user}\Local Settings\Temp

    In IE, click on Tools/Internet options and
    empty your Temporary Internet Files, all offline content and delete cookies.

    When you are done with the above:
    If you have "BeginToSearch" etc. run CWShredder first and let it fix whatever it can.
    If not, run AdAware, press the "Start" button, uncheck "Scan for negligible risk entries", select "Perform full system scan" and press "Next". Let AdAware remove anything it finds.
    Then run Spybot. Let it also fix whatever it can.
    Then reboot again in Safe Mode.

    Now run Hijackthis with NO other programs open, and let it "fix": (if not already deleted by the previous programs)

    O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
    O4 - HKCU\..\Run: [Spyware Begone] c:\freescan\freescan.exe -FastScan
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/ge...director/sw.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/108b357...ip/RdxIE601.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc4.webresponse.one.micros...p/TLIEFlash.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.c...8200.0322337963
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/c...DI/0/GDIChk.CAB
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/ge...ash/swflash.cab
  8. Electrick Gypsy

    Electrick Gypsy Newcomer, in training Posts: 89

Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.