1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

hi! can anyone help me?

Discussion in 'Windows XP' started by ifuseeme, Sep 21, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. ifuseeme

    ifuseeme Thread Starter

    Joined:
    Sep 7, 2004
    Messages:
    4
    hey good day. can you help me on how to remove the begin2search toolbar? and then, every time i browse, theres a sir search website/crawler. can you help me? oh, there also pop-ups. need help badly...
    here is the log file

    Logfile of HijackThis v1.98.2
    Scan saved at 9:53:04 AM, on 9/22/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\SahAgent.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\Program Files\Speed Disk\nopdb.exe
    C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
    C:\unzipped\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall.antivirus.com/housecall/start_corp.asp
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.skyinet.net:3128
    R3 - URLSearchHook: (no name) - {4BC62119-53D6-4C85-E46E-18BF09F9F02F} - C:\WINDOWS\Idxpedgy.dll
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
    O2 - BHO: (no name) - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - (no file)
    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Main Class - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL
    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll
    O2 - BHO: (no name) - {C3E3D814-A9E6-5ABD-3E75-8C589F3FF673} - C:\WINDOWS\Idxpedgy.dll
    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dll
    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM32\winb2s32.dll
    O3 - Toolbar: Search - {0E80E6CA-B5D2-0148-1B70-A3CDC553A73A} - C:\WINDOWS\Idxpedgy.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
    O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.com/build/vbiewer.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4AF2C6A-3AAA-4D30-BCFE-CB7B5EABC26C}: NameServer = 202.78.97.41,202.78.97.3
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: Domain = skyinet.net
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: NameServer = 202.78.97.41,202.78.97.3
     
  2. physician

    physician

    Joined:
    Jul 13, 2004
    Messages:
    1,421
    Sorry, I tried to do your log but you need someone better than me. You do have quite a bit of spyware and possible other problems. Make sure your spybot is up to date, your OS is up to date, your AVG definitions are up to date and consider getting adaware SE too. This will bump you up...doc
     
  3. TypeSK

    TypeSK

    Joined:
    Mar 16, 2002
    Messages:
    676
    also, get a BHO scanner ... searching my previous posts will lead you to a BHO checker and you can delete the stupid thing from there ....
     
  4. TypeSK

    TypeSK

    Joined:
    Mar 16, 2002
    Messages:
    676
  5. physician

    physician

    Joined:
    Jul 13, 2004
    Messages:
    1,421
    He's got more than a BHO problem and needs something more than a BHO app. He has SAHAgent which is a known spyware. He has the webrebates spyware which is a hassle to get rid of. Then he has the bho problem - begin2search.

    This is not right either and I believe is bad - bxxs5.dll and this winb2s32.dll and this Idxpedgy.dll and theres a lot more...doc
     
  6. natcom

    natcom

    Joined:
    Sep 21, 2003
    Messages:
    2,243
    C:\WINDOWS\System32\SahAgent.exe {delate this from safe mode }

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7s

    R3 - URLSearchHook: (no name) - {4BC62119-53D6-4C85-E46E-18BF09F9F02F} -
    C:\WINDOWS\Idxpedgy.dll

    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 adwave.com
    O1 - Hosts: 216.130.185.143 www.xzoomy.com
    O1 - Hosts: 216.130.185.143 xzoomy.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 websearch.com
    O1 - Hosts: 216.130.185.143 www.adwave.com
    O1 - Hosts: 216.130.185.143 advnt01.com
    O1 - Hosts: 216.130.185.143 www.advnt01.com

    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll

    O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM32\winb2s32.dll {note delate this from safe mode }

    O2 - BHO: Main Class - {9DD4258A-7138-49C4-8D34-587879A5C7A4} - C:\PROGRA~1\MSN\SMARTTAG\MSNBHO.DLL

    O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.d

    O2 - BHO: (no name) - {C3E3D814-A9E6-5ABD-3E75-8C589F3FF673} - C:\WINDOWS\Idxpedgy.dll

    O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\System32\mscb.dl

    O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.d

    O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
    O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" {note delate WebRebates0.exe from safe mode as well }

    O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe {note delate from safe more }

    O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe {note check on add/remove programs for this as well and remove }

    O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe {note make sure you delate this from safe mode as well }

    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri11

    O16 - DPF: {0B682CC1-FB40-4006-A5DD-99EDD3C9095D} (vbiewer control) - http://www.thepaymentcentre.co

    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/8

    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download

    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4AF2C6A-3AAA-4D30-BCFE-CB7B5EABC26C}: NameServer = 202.78. {note if you dont know this ip '202.78.97.41,202.78.97.3 fix this }

    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3024366-BFAC-4D0A-AC15-CC60860BF000}: NameServer = 202.78


    Close All Explorer adn IE Windows, check the above lines in hijackthis and click on Fix Checked !!

    Then Download these tools,
    PeperFix >. http://downloads.subratam.org/PeperFix.exe
    About:Buster >> http://www.atribune.org/downloads/AboutBuster.zip
    Stinger >> http://vil.nai.com/vil/stinger

    Then Disable ur Messenger Service if its running >> http://www.itc.virginia.edu/desktop/docs/messagepopup/
    After that Follow these Instructions:

    1. Restart ur machine
    2. Boot into safemode and Login as Administrator
    3. Run the AntiVirus tool(Stinger) and delete all viruses it found
    4. Run the Spyware Removal tools(Adaware,Spybot,CWShredder,Peperfix,About:Buster) and delete everything they detect
    5. Then goto My Computer>Tools>Folder Options>View and turn on the feature of Show Hidden Files
    6. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temp and delete all files present here
    7. Goto C:\Documents and Settings\ur usernmae\Local Settings\Temporary Internet Files, and delete the folder of ContentIE
    8. Goto C:\Documents and Settings\ur usernmae\Cookies, and delete all cookies present here.
    9. Reboot back in Normal Mode and check if problems are gone
    10. If YES then Great, otherwise run the Hijakcthis scan, and post the LOG file here again.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276679

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice