Begin2Search malware?

Discussion in 'Malware Help (A Specialist Will Reply)' started by JohnnyVan, Aug 3, 2006.

  1. JohnnyVan

    JohnnyVan Private E-2

    Hello, I've read and think I have followed all the steps in the "Read & Run Me First" thread.

    I became aware of the problem when Windows Defender found Begin2Search but couldn't clean it. Another issue which may not be related but I would still appreciate help fixing if it's just a setting issue is all my icons are missing from my desktop. They are still there if I look through Windows Explorer but if I just closing everything all I see is my wallpaper.

    I went through the steps in the Read & Run thread. The thread showed four files to upload with our posts but I can only figure out how to include 3. I'm attaching four text files; Activescan.txt, bdscan.txt and hijackthis.log. I can include runkeys.txt if requested. When I tried to run ShowNew.bat I got an error message saying:

    C:\WINDOWS\system32\cdm.exe
    C:\WINDOWS\SYSTEM32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows application. Choose 'Close' and terminate the application

    Another possibly important thing is that Panda Active Scan would run in Safe Mode but when I went to see the report, I could not connect to the internet. I tried both with my WiFi connection and with a direct enet cable (rebooting and running again first). When I ran it in regular mode I am sure it found less things.

    My apologies if I did something wrong. While I think you guys are great and have used your help to solve a virus in the past, the post was a little confusing in places :confused:
     

    Attached Files:

    JohnnyVan, Aug 3, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run the one from below that is most appropriate for your system to fix the above error. Note it did not say cdm.exe it said cmd.exe

    For Windows XP Pro: download and run XPproFix
    For Windows XP Home: download and run XPHomeFix

    Then run ShowNew and attach the logs. But before you run ShowNew, download the new version just uploaded to the same link.

    Also please attach your Panda log! You forgot to attach it to a second message.
     
    chaslang, Aug 4, 2006
    #2
  3. JohnnyVan

    JohnnyVan Private E-2

    You're right, it said cdm.exe not cmd.exe. That was my typo.

    Attached newfiles.txt here but I've tried three times to attach the Activescan.txt and it fails. I'll try again in an hour or so to see if it's on your end. If not, any idea why one would upload and the other wouldn't?
     

    Attached Files:

    JohnnyVan, Aug 4, 2006
    #3
  4. JohnnyVan

    JohnnyVan Private E-2

    Still getting the error:

    Activescan.txt:
    Upload of file failed.

    What am I doing wrong?
     
    JohnnyVan, Aug 4, 2006
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    How large is the file! If greater than 250K you will need to compress it into a ZIP file or split it into parts. Then upload the ZIP or the file in parts.
     
    chaslang, Aug 4, 2006
    #5
  6. JohnnyVan

    JohnnyVan Private E-2

    Doh! That was the problem. It was 3181k.
     

    Attached Files:

    JohnnyVan, Aug 4, 2006
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you would have follow the directions in step 0 to empty your Norton NProtect folder the Panda log would not have been so large and the scan would have run faster too. Empty it now. This is a stupid feature that Norton has put into place that very few people really use. And it has become and actual storage place for malware to be saved.

    Do you know what all the below file are that were installed into your system on May 7th:
    Download - - Pocket KillBox

    Extract it to its own folder somewhere that you will be able to locate it later.

    Now Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now run Pocket Killbox by doubleclicking on killbox.exe
    Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
    Then after it deletes the files click the Exit (Save Settings) button.
    NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\01234567\dating[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\01234567\drugs-ico[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\01234567\fav.cat[1].xml
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\01234567\search.mnu[1].xml
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\casino[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\drugs.cat[1].xml
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\89ABCDEF\fav-ico[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\STQFSDE3\dating-ico[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\STQFSDE3\drugs[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WDUNG1MR\casino-ico[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WDUNG1MR\default.tbr[1].xml
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WDUNG1MR\fav[1].bmp
    C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\WDUNG1MR\virus[1].bmp
    C:\WINDOWS\INF\Pynix.inf
    C:\windows\system32\Narrator.exe
    C:\WINDOWS\SYSTEM32\abasa5jrp.ini
    C:\WINDOWS\SYSTEM32\hochkaod3.ini
    C:\WINDOWS\SYSTEM32\u6f6uftuc.ini

    • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If Killbox does not reboot just reboot your PC yourself.

    Now attach a new HJT log and tell me how the steps went.

    Make sure you tell me how things are working now!
     
    chaslang, Aug 5, 2006
    #7
  8. JohnnyVan

    JohnnyVan Private E-2

    I guess I just assumed when I got rid of Nortons it would go away too. And I could have sworn when I did get rid of it, it asked me if I wanted to remove everything and I said yes. Either it didn't or I didn't but either way, it's all gone now.

    I don't know what they are, but I did a search by date and among other things there is an "ALO RM to MP3" program I downloaded and installed that can go away. Should I uninstall it instead of just deleting stuff?

    Also there are several things with the word "Azureus" in it. I have no idea what that is.

    Attached below.

    Two things, one I still can't see the icons on my desktop and Windows Defender still finds and can't delete Begin2Search.

    One note, when I got rid of the NProtect folder I just deleted. I didn't think to empty my recycle bin until after I ran Pocket KillBox and it rebooted. Does that matter? Oh, and I did not recieve the message you asked me to tell you if I got
     

    Attached Files:

    JohnnyVan, Aug 5, 2006
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Anything that you don't need or use should always be uninstalled. It is a waste of space and resources otherwise.

    Azureus is a bittorrent P2P downloading program.


    Does the Start button show and the system tray? Try the below:

    Right click on the Desktop, select Arrange Icons By, then select Show Desktop Icons.

    Exactly where is Windows Defender finding Begin2Search. What is the file name and path or what is the registry key?


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O16 - DPF: {C0B285F6-DB2B-4908-9C58-F6D95397D747} - http://www.pacimedia.com/install/pcs_0015.exe

    After clicking Fix, exit HJT.:
    Now reboot in normal mode and post a new HJT log.
     
    chaslang, Aug 6, 2006
    #9
  10. JohnnyVan

    JohnnyVan Private E-2

    That was it. Thanks, like I said I didn't know if it was related to the virus or not. Believe it or not, my cat does this kind of thing every once and a while by walking across my keyboard. Last time she changed the display so the resolution was still 1024x768 but it only took up about 50% of the screen right in the middle... :rolleyes:

    c:\documents and settings\localservice.nt authority\Desktop\Kill All Spyware.url

    Attached below. I've done some cleaning, both deleting files and uninstalling programs so hopefully it's cleaner.
     

    Attached Files:

    JohnnyVan, Aug 6, 2006
    #10
  11. JohnnyVan

    JohnnyVan Private E-2

    How annoying. I went to the location and just deleted the file and rebooted and now Windows Defender is happy so I guess that solved the problem

    So then since the program is gone I assume it is safe to just delete everything in this folder?
    C:\Documents and Settings\Johnny.JOHNNYSLAPTOP.000\Application Data

    And thanks for all your patience and help
     
    JohnnyVan, Aug 6, 2006
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Just close all browsers and use Windows Explorer to delete that file. You may need to boot into safe mode as the Administrator to delete it.
     
    chaslang, Aug 6, 2006
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    NO! But if there is a folder like this:

    C:\Documents and Settings\Johnny.JOHNNYSLAPTOP.000\Application Data\Azureus

    you can delete just that folder.
     
    chaslang, Aug 6, 2006
    #13
  14. JohnnyVan

    JohnnyVan Private E-2

    Everything seems fine now.

    Thanks again for your help!
     
    JohnnyVan, Aug 8, 2006
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
    chaslang, Aug 9, 2006
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds