hijack this hijacked?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by DevilDuckie, Sep 14, 2004.

  1. DevilDuckie

    DevilDuckie Private E-2

    Hi,
    I'm recovering from a virus crashing Windows, and upon reformatting and reinstalling, I've used your site to armor my computer like a Killdozer. I went through your standard virus and trojan removal instructions and followed them all, including downloading and running Hijack This!. The only thing I was not able to get rid of is an annoying little thing that highlights certain words like "credit", "sex", etc., on webpages. I'm pretty sure it's from Begin2Search, and damn if I can figure out how to get rid of it. Anyway, I was trying to run Hijack This! just a few minutes ago, and the program loaded fine, however, when I told it to scan, it found four "R1" entries with Begin2Search urls and then shut down quickly before allowing me to do anything. There is no "Hijack this is experiencing problems and will be shut down" window, it simply closes out. Has anyone had this problem or knows how to fix it? I'm a little baffled, and getting increasinly peeved. Any help will be appreciated. Thanks,

    Audrey
     
    DevilDuckie, Sep 14, 2004
    #1
  2. smokinbls

    smokinbls the title thing is overrated

    just to let you know.
    Chaslang is the guy for you, he really know his stuff.
    he should be back on-line later tonight ( at least that is what he told me. :) )
    so stick around and someone will help :)
     
    smokinbls, Sep 14, 2004
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you run CWShredder? If not, run it and select Fix not Scan!
    Did you try to run HijackThis from safe mode to see if it works?
    What version of HijackThis do you have?
     
    chaslang, Sep 15, 2004
    #3
  4. DevilDuckie

    DevilDuckie Private E-2

    Hi,
    I just ran CWShredder and it fixed my Hijack This problem (it found googlems...that seemed to be it), thanks for the advice! The only other thing is that I can't get rid of this Begin2Search thing...I'm running v1.98.2 of Hijack This and the best I can do is clean it out when it gives me R1 and R0 listings for begin2search.com/googlesidesearch.html. All this will do is remove the highlights and hotlinks for the windows I already have open, but the problem comes back with every new window I open. I searched all the BHOs on the list provided, and there are some that aren't listed - it may be one of those, I suppose, but I hesitate to delete things that I'm not sure about. Again, anything you can offer...thanks so much for the help,

    Audrey
     
    DevilDuckie, Sep 15, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    You want us to look at the log file? Please attach it.
     
    Major Attitude, Sep 15, 2004
    #5
  6. DevilDuckie

    DevilDuckie Private E-2

    Here's the logfile, I hope that helps.
     

    Attached Files:

    DevilDuckie, Sep 15, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\localNRD.dll
    then click OK. If a dialog box confirming this action appears, click OK.


    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\SYSTEM32\winb2s32.dll
    then click OK. If a dialog box confirming this action appears, click OK.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
    O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll


    Make sure you still have viewing of hidden files enable (per the tutorial).
    The boot into safe mode and delete the following:
    C:\WINDOWS\localNRD.dll
    C:\WINDOWS\SYSTEM32\winb2s32.dll

    Boot in normal mode and then:

    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now get a new HJT log and post it here as an attachment and tell me how things are running.
     
    chaslang, Sep 16, 2004
    #7
  8. DevilDuckie

    DevilDuckie Private E-2

    I followed your instructions; it appears that the problem is fixed. I've attached the newest HJT scan per your request. If there are any more problems or precautions I need to take, let me know, but if not, I just want to say that you (and this site in general) are awesome. Thanks for all your help!

    Audrey
     

    Attached Files:

    DevilDuckie, Sep 19, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should see this link on NavExcel:
    http://www.doxdesk.com/parasite/NavExcel.html

    See if you can remove it from Add/Remove programs as shown. If not, have HJT fix the below line:
    O2 - BHO: Helper Class - {D80C4E21-C346-4E21-8E64-20746AA20AEB} - C:\Program Files\NavExcel Search Toolbar\NavExcelBar.dll

    Other than that, you are looking good.
     
    chaslang, Sep 20, 2004
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds