I just had a huge infestation of spyware- some 400 items. I’m not sure where they came from. I think I accidentally clicked on a popup somewhere and it let everything else in. Anyway, I have cleared out everything except one- I now have a search bar under the Address bar at the top of my browser (IE). I have tried Adaware, Spy Sweeper, and Spybot. All say my system is clean. I looked in the Add/Remove programs and see nothing I don’t recognize and want. I did a control-alt-delete and nothing is listed that I don’t know about and want.
The bar says, from left to right, Search the Web (with a search box), Search, Search Engines, Software, Credit, Email, Gamble, Dating, Cool, and Useful. The last several have drop down arrows which I haven’t clicked on to see the contents. I just did a big critical Windows update thing. Before the update, when I right-clicked on the bar on the small blank space at the end of the row, I got a listing of all the things displayed on the browser, such as Standard, Address Bar, LInks, etc, and at the end was Begin2search.com and it was checked. Unchecking it made the bar go away for that browser. Now I still have a space where the Begin2Search used to be, and it’s checked too, and unchecking turns offthe bar display. A Fine Programs search comes up with nothing for that name.
Where is this stupid program living and how do I kill it?
Thanks,
HennaDancer :mad:
:mad: :rolleyes: :mad:
Since this thing started, sometimes words or phrases get highlighted in page texts that don’t seem to be highlighted by the page itself. In the above, spyware and popup were both highlighted, and a mouseover says “Sponsored Link”.
:mad:
Try this link from computercops.com
Well, just to see what would happen, I went to www.begin2search.com. They have a link for UNinstall Toolbar right on their front page. Mighty decent of them. But after I uninstalled it (which worked so far as I could tell) it tried to change my start page to www.yahoo.com. So is begin2search affiliated with Yahoo? And how can I be sure it’s really gone?
Thanks for following the saga.
Run HijackThis and post the log here.
Sorry, it’s computercops.biz. computercops.com is a cybersquatter.
Logfile of HijackThis v1.98.2
Scan saved at 12:11:47 PM, on 9/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SDWin32 Class - {9F27C7FB-EA1B-4A79-A441-02178E093A67} - C:\WINDOWS\SYSTEM\WDCIY.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM…\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM…\Run: [TaskMonitor] C:\WINDOWS askmon.exe
O4 - HKLM…\Run: [SystemTray] SysTray.Exe
O4 - HKLM…\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM…\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM…\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM…\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM…\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O4 - HKLM…\RunServices: [ScriptBlocking] “C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe” -reg
O4 - HKLM…\RunOnce: [ACMWrapperV2.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CDEngine\ACMWrapperV2.dll”
O4 - HKLM…\RunOnce: [MediaPlayerV2.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CDEngine\MediaPlayerV2.dll”
O4 - HKLM…\RunOnce: [driversV2.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CDEngine\driversV2.dll”
O4 - HKLM…\RunOnce: [Cdbootable.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Cdbootable.dll”
O4 - HKLM…\RunOnce: [cdDataPS.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdDataPS.dll”
O4 - HKLM…\RunOnce: [cdExtra.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdExtra.dll”
O4 - HKLM…\RunOnce: [cdmp3.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\cdmp3.dll”
O4 - HKLM…\RunOnce: [database.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\database.dll”
O4 - HKLM…\RunOnce: [ISO9660.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\ISO9660.dll”
O4 - HKLM…\RunOnce: [Joliet.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Joliet.dll”
O4 - HKLM…\RunOnce: [Udf.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Udf.dll”
O4 - HKLM…\RunOnce: [creator.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\creator.dll”
O4 - HKLM…\RunOnce: [Translator.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CreatorAPI\Translator.dll”
O4 - HKLM…\RunOnce: [CDEngine.dll] c:\windows\system\regsvr32.exe /s “C:\Program Files\Common Files\Adaptec Shared\CDEngine\CDEngine.dll”
O4 - HKLM…\RunOnce: [WMC_RebootCheck] C:\WINDOWS\inf\unregmp2.exe /FixUps
O4 - HKLM…\RunOnce: [WU2_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\WUAUPD98.DLL
O4 - HKLM…\RunOnce: [UpdateHook] C:\WINDOWS\rundll32.exe AUHKNEW.DLL,RenameDll
O4 - HKLM…\RunOnce: [WU4_RegSvr] C:\WINDOWS\SYSTEM\regsvr32.exe /s C:\WINDOWS\SYSTEM\AUHOOK.DLL
O4 - HKCU…\Run: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE” /0
O4 - HKCU…\RunServices: [SpySweeper] “C:\Program Files\Webroot\Spy Sweeper\SPYSWEEPER.EXE” /0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.c
Okay, what I’m seeing is that the begin2search is still there. What’s the extra button, extra tools stuff? And what’s the last thing?
Thanks so much.
Make sure HijackThis is in its own folder and is set to make backups of removed items, then check the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
O2 - BHO: SDWin32 Class - {9F27C7FB-EA1B-4A79-A441-02178E093A67} - C:\WINDOWS\SYSTEM\WDCIY.DLL
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} - http://www.uproar.com/applets/activex/shizmoo/flipside_web18.c
I’m not exactly sure what the last item is. As far as I can tell it’s a browser add-on for playing certain web games. It might be malicious though, and if it isn’t anything you use you should get rid of it.