Thanks for the responce RealBlackStuff, jesus theres alot on there.

i spoke to her regarding the Avast and she seems to think its been on there since September. Would u advise to get a new one then mate?

Before I answer to that, I need to know how religiously that PC's AV is updated, what are the browsing habits (downloading MP3 and stuff?).
I heard good things about Avast, supposedly better than the free AVG, but I am not sure now.
I use Extendia AVK Pro, and have not seen a virus in years.

After reading this thread, I tried to remove the begin2search toolbar by myself. I sucedded in removing the toolbar but the "Page cannot be displayed" page is still the begin2search one. Can anyone help me here? Thanks.

I attached my log (This board would not let me post for some reason, url's or something)

Attached Files

hijackthis2.txt (7.8 KB, 2 views)

Flamingshadow

Welcome to TechSpot

First off, go here and follow EXACTLY as it says there.
http://www.techspot.com/vb/topic17297.html
Note the part about 'xfire_lsp...' at the bottom as well.

Also, your AVG6 will expire at the end of this year. Replace it with the (free) AVG7.
When updated, run a full scan of your system.

On of the following files is the official one, you will need to compare all of these with your original CD to establish which one is the "goodie". You may have the "Sircam" virus.
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe

After you have done as instructed in above post, Run your UPDATED HJT on its own in Safe Mode and "fix" all of these, if any are still left after Adaware, Spybot and co.:

C:\WINDOWS\kdx\KHost.exe
C:\WINDOWS\system32\svchost32.exe
C:\WINDOWS\system32\NotifyPhoneBook.exe
C:\Program Files\Windows AdControl\WinAdCtl.exe
C:\Program Files\Windows AdControl\WinAdAlt.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\cidaemon.exe

O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5-9803-1c2956615786} - C:\Program Files\Google\Google Desktop Search\GoogleDesktopIE.dll
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
O4 - HKLM\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [svchost.exe] "C:\WINDOWS\system32\svchost32.exe"
O4 - HKLM\..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Unknown file in Winsock LSP: c:\program files\google\google desktop search\googledesktopnetwork1.dll
O10 - Broken Internet access because of LSP provider 'xfire_lsp_9028.dll' missing
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_fi...76de901b6c1e8b
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/downlo...?1079102657625
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/def...caploader1.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/...lInstaller.exe
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.can.com.sg/mwf/mgaxctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...842.8861458333
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78D} (DoomCln Object) - http://www.microsoft.com/security/controls/DoomCln.CAB
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B819A037-7A70-4442-9196-34658C86BFD7}: NameServer = 165.21.100.88 165.21.83.88

Hi guys

I am trying to post my results from HiJackThis but I get an error "Your Post contains one or more URLs, please remove them before submitting your message again."

Any ideas?

Thanks

:hotbounce

Click on "go advanced" when you post, and send your HJT-log as an attachment, e.g. "hijackthis.txt"
Do NOT use the ZIP-format.

I attached the file

Can you let me know what I still have after running Ad-Aware and Spybot?

Thanks in advance

Attached Files

hijackthis.txt (3.6 KB, 1 views)

Iloki

Run HJT standalone in Safe Mode and let it "fix":

C:\Program Files\Winamp3\winampa.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\pngcm.exe

-- Do you run more than one language on your PC? (like switching keyboard-language)
-- If not, this needs to be "fixed" as well:
C:\WINNT\System32\internat.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINNT\BTGrab.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [aihwbqf] C:\WINNT\System32\acjctp.exe
O4 - HKCU\..\Run: [ZEv2RXKpW] pngcm.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10...o.cab27513.cab

At the end, delete all the files thate were "fixed".

since begintosearch is an old malware***i got slammed by this one ***the hay to remove it is by using hijackthis ***and downloading the yahoo toolbar with anti-spyware ****this anti spyware removed all traces of begintosearch