Removing Begin2search, please check my hijack this log before I continue..

By MellyJC
Feb 17, 2005
Topic Status:
Not open for further replies.
  1. Ok so I was hit with a bunch of spyware crap Saturday and I've been fighting it since, even sunk $30 into Spyware Doctor at my dad's advice with no success. :blackeye:

    I've been following RealBlackStuff's advice from his thread, and I'm up to the point of having run the Hijack This program. According to the post I've got 17 things to fix, but I just wanted to post my log here and get it verified by the more knowledgeable..I'd never even heard of Hijack This before two days ago. I'm tired of working on all this stuff and I'd like to make sure it's done right so I don't have to do it again or reinstall my OS. So without further ado, here's my log. Thank you immensely for your help!

    Melanie

    Attached Files:

  2. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Boot in Safe Mode
    Switch off System Restore
    Run HJT on its own and let it 'fix':
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
    O2 - BHO: (no name) - {148274E9-E3BB-4F3D-BA03-2136326C2A47} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
    O2 - BHO: (no name) - {3F7C79A9-986E-4126-8D31-80DB5647195F} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
    O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll (file missing)
    O2 - BHO: (no name) - {E6D0512E-E11E-4C61-B14D-27A4A7FEFC16} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
    O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\system32\ic2_win.dll (file missing)
    O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

    ALL lines with O16 - DPF:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{573E10D6-CA7A-42BB-B1B4-33BE139888AE}: NameServer = 63.203.35.55,206.13.28.12

    When done, hunt for this file: D0CE0C16B1 and delete it.
    If it still exists, delete this directory and all its contents: C:\Program Files\tczotlol
    Boot normal.
    If all OK, put System Restore back on.
    Otherwise post a new log.
  3. MellyJC

    MellyJC Newcomer, in training Topic Starter Posts: 51

    Thank You!

    The search bar does appear to be gone YEEHAW! :bounce:

    Something I removed though seems to have rendered McAfee useless and it's asking me to reinstall. Do I absolutely have to (my dad has the install CD, it could be awhile before I get ahold of it) or can I restore the several 016s that point to McAfee and will that make it work again?
  4. mjd3k

    mjd3k Newcomer, in training

    similar problem

    Hello. I'm new to TechSpot and I'm not sure how to post my own thread. I appologize for tacking onto this one, but I do have a similar problem. My homepage keeps getting changed to a "Search for..." website. Sometimes websites I am on randomly get switched to that one as well. I attached my hijack this log file. Also, I have run CWShredder, Ad-Aware SE, and SpyBot S&D as recommended. I ran them each in safe mode, rebooting after running each individual program. I also ran a virus scan. The same problem keeps coming back though. I'd appreciate any help I can get. Thanks a lot.

    I can't seem to keep my post from including random links. Sorry about that.
  5. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    MellyJC
    O16 entries are ActiveX based downloads. In your case you should UNDO them in HJT, to get McAfee going again. If the UNDO restores ALL O16 files, just delete the few non-McAfee again, and you should be good.
    Yours is the first of all the cases where I assisted, where such a thing happened.
    Sorry for the inconvenience.

    mjd3k

    Boot in Safe Mode
    Try to UNinstall anything to do with:
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRA~1\CLOCKS~1\Sync.exe

    Use Notepad to edit win.ini
    change the line: run=hpfsched into: run=

    Next run HJT on its own and let it 'fix' if still there:
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.abc-search.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.abc-search.net/small.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.virginia.edu
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.virginia.edu
    R3 - URLSearchHook: (no name) - {1594B2E5-61E6-A30A-4ADD-1DF5276EF316} - (no file)
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL (file missing)
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
    O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

    When done, delete the bold files (if any). When a directory is bold, delete everything in it, including that directory itself.

    Delete all contents from your \Temp directory
    Clear all temp. internet files and cookies
    Get Firefox from www,getfirefox.com and use that from now on.
    NO more IE.
  6. mjd3k

    mjd3k Newcomer, in training

    Ok, thanks a lot. I've done everything except edit the win.ini file. How do I do that? I couldn't find it on my computer to open it. Thanks again for your help.
  7. MellyJC

    MellyJC Newcomer, in training Topic Starter Posts: 51

    Hm...I restored the McAfee 016s but it's still giving me error messages. Guess I'll have to reinstall. But at least the Spyware is gone! YAAAAY! Thanks RealBlackStuff! :D
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    mjd3k
    double-click on c:\windows\win.ini or click Start/Run and type in: notepad c:\windows\win.ini and click OK.
    That line is right at the beginning.

    MellyJC
    There is a (free) AVG available from www.grisoft.com if you need immediate protection. You will need to uninstall the McAfee antivirus-part first for it to work.
    You would
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.