Removing Begin2search, please check my hijack this log before I continue..

[MellyJC]

Ok so I was hit with a bunch of spyware crap Saturday and I've been fighting it since, even sunk $30 into Spyware Doctor at my dad's advice with no success. :blackeye:

I've been following RealBlackStuff's advice from his thread, and I'm up to the point of having run the Hijack This program. According to the post I've got 17 things to fix, but I just wanted to post my log here and get it verified by the more knowledgeable..I'd never even heard of Hijack This before two days ago. I'm tired of working on all this stuff and I'd like to make sure it's done right so I don't have to do it again or reinstall my OS. So without further ado, here's my log. Thank you immensely for your help!

Melanie

 

[RealBlackStuff]

Boot in Safe Mode
Switch off System Restore
Run HJT on its own and let it 'fix':
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com
O2 - BHO: (no name) - {148274E9-E3BB-4F3D-BA03-2136326C2A47} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
O2 - BHO: (no name) - {3F7C79A9-986E-4126-8D31-80DB5647195F} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
O2 - BHO: ohb - {988CAFC4-DC0D-4D8C-A35E-5028ABE9E641} - C:\WINDOWS\system32\ic2_win.dll (file missing)
O2 - BHO: (no name) - {E6D0512E-E11E-4C61-B14D-27A4A7FEFC16} - C:\Program Files\tczotlol\tczotlol.dll (file missing)
O3 - Toolbar: Begin2Search.com Bar - {207AEF46-0596-4966-A7BF-098F247E85BB} - C:\WINDOWS\system32\ic2_win.dll (file missing)
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1

ALL lines with O16 - DPF:

O17 - HKLM\System\CCS\Services\Tcpip\..\{573E10D6-CA7A-42BB-B1B4-33BE139888AE}: NameServer = 63.203.35.55,206.13.28.12

When done, hunt for this file: D0CE0C16B1 and delete it.
If it still exists, delete this directory and all its contents: C:\Program Files\tczotlol
Boot normal.
If all OK, put System Restore back on.
Otherwise post a new log.

 

[MellyJC]

Thank You!

The search bar does appear to be gone YEEHAW! :bounce:

Something I removed though seems to have rendered McAfee useless and it's asking me to reinstall. Do I absolutely have to (my dad has the install CD, it could be awhile before I get ahold of it) or can I restore the several 016s that point to McAfee and will that make it work again?

 

[mjd3k]

similar problem

Hello. I'm new to TechSpot and I'm not sure how to post my own thread. I appologize for tacking onto this one, but I do have a similar problem. My homepage keeps getting changed to a "Search for..." website. Sometimes websites I am on randomly get switched to that one as well. I attached my hijack this log file. Also, I have run CWShredder, Ad-Aware SE, and SpyBot S&D as recommended. I ran them each in safe mode, rebooting after running each individual program. I also ran a virus scan. The same problem keeps coming back though. I'd appreciate any help I can get. Thanks a lot.

I can't seem to keep my post from including random links. Sorry about that.

 

[RealBlackStuff]

MellyJC
O16 entries are ActiveX based downloads. In your case you should UNDO them in HJT, to get McAfee going again. If the UNDO restores ALL O16 files, just delete the few non-McAfee again, and you should be good.
Yours is the first of all the cases where I assisted, where such a thing happened.
Sorry for the inconvenience.

mjd3k

Boot in Safe Mode
Try to UNinstall anything to do with:
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRA~1\CLOCKS~1\Sync.exe

Use Notepad to edit win.ini
change the line: run=hpfsched into: run=

Next run HJT on its own and let it 'fix' if still there:
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.abc-search.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://www.abc-search.net/small.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.virginia.edu
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.virginia.edu
R3 - URLSearchHook: (no name) - {1594B2E5-61E6-A30A-4ADD-1DF5276EF316} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\PROGRAM FILES\AIM TOOLBAR\AIMBAR.DLL (file missing)
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\ms.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/yiebio5_1_5_0.cab
O16 - DPF: {f760cb9e-c60f-4a89-890e-fae8b849493e} -
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

When done, delete the bold files (if any). When a directory is bold, delete everything in it, including that directory itself.

Delete all contents from your \Temp directory
Clear all temp. internet files and cookies
Get Firefox from www,getfirefox.com and use that from now on.
NO more IE.

 

[mjd3k]

Ok, thanks a lot. I've done everything except edit the win.ini file. How do I do that? I couldn't find it on my computer to open it. Thanks again for your help.

 

[MellyJC]

Hm...I restored the McAfee 016s but it's still giving me error messages. Guess I'll have to reinstall. But at least the Spyware is gone! YAAAAY! Thanks RealBlackStuff!

 

[RealBlackStuff]

mjd3k
double-click on c:\windows\win.ini or click Start/Run and type in: notepad c:\windows\win.ini and click OK.
That line is right at the beginning.

MellyJC
There is a (free) AVG available from www.grisoft.com if you need immediate protection. You will need to uninstall the McAfee antivirus-part first for it to work.
You would