Computer got possessed yesterday-just about locked up completely. The really bad stuff even turned off my Spy Sweeper shields. Anyway, cleaned things up alot (thanks for all the info) but still had begin2 search. Followed your instructions for removal but my Adaware download wouldn'r run (kept saying missing or corrupt file and would abort setup) So I used Spysweeper instead. After running HJT I did fix some obvious bad files but was afraid to check too many things. Anyway the begin2search toolbar is gone but computer still not right. Went back and ran the 3 antispy programs again in safe mode and spysweeper picked up begin2search again. Anyway here is my hjt log after second decontamination. I didn't check anything or fix anything from this yet. Also, wasn't sure about a few things in your instructions. Delete fixed files in hjt and delete bold directories? Didn't know how. As you can tell I know nothing about computers. Also I did download windows xp updates after I thought computer was clear, but I guess it wasn't. Does this matter?
HJT log- begin2search
- Thread starter kriskyl3
- Start date
- Status
RealBlackStuff
Posts: 6,450 +3
Boot in Safe Mode
Switch off System Restore
Press ctrl/alt/del and in Taskmanager try to STOP:
Cyb2k.exe
Vyhrsaz.exe
nwshela2.exe
Next, run HJT on its own and let it 'fix':
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: SDWin32 Class - {69532979-E662-49C0-B5DF-4EB9ACBF9EAA} - C:\WINDOWS\System32\ylqsd.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [Ebamumv] C:\Program Files\Bhou\Vyhrsaz.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u ==>> only fix, do NOT delete <<==
O4 - HKCU\..\Run: [LowmRSNng] nwshela2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
Example: C:\WINDOWS\System32\ylqsd.dll
In Explorer, go to C:\WINDOWS\System32, find ylqsd.dll, highlight it and press the Delete or Del key. Confirm that.
Example: C:\Program Files\Bhou\Vyhrsaz.exe
In Explorer, go to C:\Program Files\Bhou\, highlight Bhou and press the Delete or Del key. Confirm that.
Capisce?
Now go and delete everything in your c:\documents and settings\[username]\local settings\temp and delete everything in the temp directory.
In IE click on Tools/Internet Options and delete all temp. files, cookies and history.
Boot in normal mode. When all OK, put System Restore back on.
Then go to www.getfirefox.com and install Firefox. Use that from now on.
Use IE only for windows-updates.
Switch off System Restore
Press ctrl/alt/del and in Taskmanager try to STOP:
Cyb2k.exe
Vyhrsaz.exe
nwshela2.exe
Next, run HJT on its own and let it 'fix':
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: SDWin32 Class - {69532979-E662-49C0-B5DF-4EB9ACBF9EAA} - C:\WINDOWS\System32\ylqsd.dll
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\System32\ic2_win.dll
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [Ebamumv] C:\Program Files\Bhou\Vyhrsaz.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u ==>> only fix, do NOT delete <<==
O4 - HKCU\..\Run: [LowmRSNng] nwshela2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
When done, delete the bold files. When a directory is also bold, delete everything in it, including that directory itself.
Example: C:\WINDOWS\System32\ylqsd.dll
In Explorer, go to C:\WINDOWS\System32, find ylqsd.dll, highlight it and press the Delete or Del key. Confirm that.
Example: C:\Program Files\Bhou\Vyhrsaz.exe
In Explorer, go to C:\Program Files\Bhou\, highlight Bhou and press the Delete or Del key. Confirm that.
Capisce?
Now go and delete everything in your c:\documents and settings\[username]\local settings\temp and delete everything in the temp directory.
In IE click on Tools/Internet Options and delete all temp. files, cookies and history.
Boot in normal mode. When all OK, put System Restore back on.
Then go to www.getfirefox.com and install Firefox. Use that from now on.
Use IE only for windows-updates.
Thanks
Thank you for your help. Those processes are no longer running when I check task manager. A few more questions: that (userfaultcheck) wasn't on my next hjt log-probably because when spysweeper told me it was trying to run at startup, I said not to let it. Was that bad? Also, I couldn't find two of the bold files I was supposed to delete. The first was ic2_win.dll--it wasn't in the system32 folder. Also, the nwshela2.exe file-I couldn't find it. Didn't really know where to look but I did a search and it didn't come up. Maybe HJT deleted it? Also, I got an error message when HJT was fixing. It said it was saving the info to my notepad, but I don't know where to find it to post it here. Should I delete everything in my HJT backup? The computer seems to be running OK now, except it dings every couple minutes like it has just completed a process, even when its not being used. It has been doing this at least since I downloaded the xp service pack 2, which was when I thought the computer was cleaned up but it really wasn't. Any idea why the computer keeps "dinging"? Thanks again for all your help.
Ellen
Thank you for your help. Those processes are no longer running when I check task manager. A few more questions: that (userfaultcheck) wasn't on my next hjt log-probably because when spysweeper told me it was trying to run at startup, I said not to let it. Was that bad? Also, I couldn't find two of the bold files I was supposed to delete. The first was ic2_win.dll--it wasn't in the system32 folder. Also, the nwshela2.exe file-I couldn't find it. Didn't really know where to look but I did a search and it didn't come up. Maybe HJT deleted it? Also, I got an error message when HJT was fixing. It said it was saving the info to my notepad, but I don't know where to find it to post it here. Should I delete everything in my HJT backup? The computer seems to be running OK now, except it dings every couple minutes like it has just completed a process, even when its not being used. It has been doing this at least since I downloaded the xp service pack 2, which was when I thought the computer was cleaned up but it really wasn't. Any idea why the computer keeps "dinging"? Thanks again for all your help.
Ellen
RealBlackStuff
Posts: 6,450 +3
In Windows Explorer, make sure that the option to "show all files and folders, including hidden and system" is turned on.
Or see here how to do that: http://www.bleepingcomputer.com/forums/tutorial62.html
This will make those files 'visible' to you.
For the dinging, go to Control Panel/Sounds & Media. Scroll down in the Sound Events and click on the ones you don't want or need. That should be self-explanatory. In the box underneath (Name
set it to (None).
If you have done everything allright, you can delete the backups, but wait a few more days. There should be plenty space on your harddisk.
Or see here how to do that: http://www.bleepingcomputer.com/forums/tutorial62.html
This will make those files 'visible' to you.
For the dinging, go to Control Panel/Sounds & Media. Scroll down in the Sound Events and click on the ones you don't want or need. That should be self-explanatory. In the box underneath (Name
set it to (None).If you have done everything allright, you can delete the backups, but wait a few more days. There should be plenty space on your harddisk.
- Status
Similar threads
