Several questions...

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MrCheshire, Sep 21, 2004.

  1. MrCheshire

    MrCheshire Private E-2

    First of all, I was wondering how to remove an annoying toolbar from IE? This one's significantly more frustrating than the others I've dealt with (I've already read and gone through the Basic Spyware, Trojan And Virus Removal tutorial post, btw and those steps have not removed the problems I'm asking about now) because it just says "Search" and doesn't appear to associate itself with any program. But it is there every time I open up an IE window and I want it gone.

    Also, even though it doesn't show up anymore, when I go to "view -> toolbars" so I can turn off this stupid "Search" toolbar, the option for "Begin2Search.com bar" is still there, even though it doesn't show up anymore. I'm assuming the way to get rid of it is somewhere in regedit, but that's too advanced for me. I want to clear that off too, if possible.

    And somewhere along the line, I've gotten something that takes keywords and made them into highlighted "sponsored links." I want that turned off.

    The other thing that's been going on is that my home page has been resetting to www.msn.com on startup (I keep it blank, normally) and when I fill out a form on any website, a lycos window pops up on the side that says "sidesearch" on it. It's extraordinarily annoying. Running all the suggested spyware killers from the tutorial did not fix any of these problems, so I'm wondering what further steps I can do.

    Also, I can't seem to even get CCleaner to run successfully. Even in safe mode, it gives me an error after working for a while and then shuts down, and won't even open again after that.

    Yeah, my computer seems pretty screwed up. I thought I was more careful than this.
     
    MrCheshire, Sep 21, 2004
    #1
  2. MrCheshire

    MrCheshire Private E-2

    And another thing... I just discovered that any misstyped or nonexistant web addresses send me to www.exactsearch.net ... That's another recent development. I'm serious that this is all recent - all of these problems cropped up today and I have no idea why. I haven't had anything even comparable to this for two years, since I got this machine.

    And another bit of info I forgot to include in my previous post is that I was unable to run the online virus detectors, thanks to my pitiful dial-up internet connection, which is a long story about how much I despise my cable provider, but that is really immaterial.

    Any help at all would be greatly appreciated, of course.
     
    MrCheshire, Sep 21, 2004
    #2
  3. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Try looking for it in Hijack This. If you need help looking at it, please post it.
     
    Major Attitude, Sep 21, 2004
    #3
  4. MrCheshire

    MrCheshire Private E-2

    HiJackThis log posted.

    I could really use some help - I must have done something really stupid to have all this start happening to me.
     

    Attached Files:

    MrCheshire, Sep 21, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Wow, you got some obvious problems. First off, old Hijack This. Get a new copy, from us. Didnt close running programs. Ok, head to add\remove programs and uninstall Web Rebates and check for anything else unusual while there like searching or shopping. In Hijack This remove the following after that:


    C:\Program Files\NaviSearch\bin\nls.exe
    C:\PROGRA~1\Web Offer\wo.exe
    C:\Program Files\Web_Rebates\WebRebates1.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
    R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINNT\localNRD.dll
    O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
    O2 - BHO: (no name) - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
    O2 - BHO: (no name) - {92536028-2DCE-DB81-1924-441426713D44} - C:\WINNT\Zayhirnq.dll
    O2 - BHO: (no name) - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINNT\System32\nvms.dll
    O2 - BHO: (no name) - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\System32\mscb.dll
    O2 - BHO: (no name) - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - (no file)
    O2 - BHO: (no name) - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dll
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
    O3 - Toolbar: Search - {10A3DCE2-DD77-7230-8CFF-B8950184A5D1} - C:\WINNT\Zayhirnq.dll
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [jpdngyorgdzl] C:\WINNT\System32\nvyeungw.exe
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
    O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
    O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Owner\Application Data\DownloadPlus.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

    If this isnt your home page, remove it:
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com

    The 016 are common sense, if you did not install it remove it:
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/182154f22b38f0dee721/netzip/RdxIE601.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB


    Try and finish the tutorial now.
     
    Major Attitude, Sep 21, 2004
    #5
  6. MrCheshire

    MrCheshire Private E-2

    I'm to go ahead and do my best to go through all this, but I can't find where on this site to get the more up-to-date version of HijackThis. I don't see it listed in either the basic tutorial post or the post about HijackThis specifically - and the link (this one http://www.spywareinfo.com/~merijn/htlogtutorial.html) doesn't seem work anymore. I just googled "hijackthis" and got what looked to me to be the most up-to-date version. Sorry about that - I don't doubt that it's on this site, I just don't know where.
     
    MrCheshire, Sep 21, 2004
    #6
  7. MrCheshire

    MrCheshire Private E-2

    This seems to have taken care of everything, as far as I can tell. If I get anymore problems, I'll be back - but first...

    Thank you, thank you, thank you, thank you. Your help is so incredibly appreciated.
     
    MrCheshire, Sep 21, 2004
    #7
  8. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    My pleasure, please try some of the tutorial from safe mode simply because that log file was so HUGE, I fear there may be some stragglers. At least spyware scan and virus scan for me. Do your WindowsUpdates to get Service Pack 2 as well :)
     
    Major Attitude, Sep 21, 2004
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds