I am basically computer incompetent. With that said, my family members are worse, and after reciving an infected e-mail our computer has been swamped with “fecal matter”. I’ve installed and run Ad-aware, SpyBot S&D, and I reguarly use Notron AV/Firewall, but to no avail. After cleaning out my computer (and after 4+ hours on the phone with microsoft tech support), Mostly everything is fixed (or theres programs that are hidden and I cant find). Mostly. there is a toolbar that got installed (The “Begin2Search.com” toolbar) and it just won’t die. I have no idea what a Hijack this log is, haven’t run(?, is used a better word?) one, but this toolbar runs as a component program, so its not shown an the add/remove programs list. It doesn’t even show in the running processes list. For that matter, I’ve searched that IE folder and cant find it. I’m basically a babe in the woods and could use some help.
Now, when, with your help, I finally get deleted, is there any way to make certain that all of that malware/spyware/adware/trojan horses and what-not are actually gone and not just residing in some hidden file?
I realize that this type of problem has come up on Delphi before, but I’ve checked and it does not apply to this (I’ve already used all the suggested AV programs without any sucess). You might be able to ID this problem by a file named “o”. It is a .bat file and runs a MS-DOS screen that searches for a non-existant file, then overruns the search buffer (As I understand) and writes 19 different adware/spyware programs to your computer. Any help at all is appreciated, and if you need more info, please say so.
Thank you all very much.
Are your .Dat files up to date? Ad-Aware has “Ad-Aware SE” now out - running version 1.05. (As of 9-29-05). That is what I run and it picks up EVERYTING…
This thread will be of interest to you. There’s a lot of excelleny programs mentioned in there including Highjack This. I had to use some of these programs on a laptop I bought off Ebay.
I would run Highjack This and BHO Demon and that should fix it. I’m guessing Begin2Search.com is coming from a .dll file somewhere.
Besides what has already been said I can’t help you remove the problem, but once you do that I have some advice. Use Opera or Firefox. Some spyware and stuff like the toolbars come through flaws in Internet Explorer, if you use Firefox or Opera they don’t have those holes. They also are just better browser in my opinion.
Also, I used to work in the Technology Services department of a school district. With a case like yours, we would have done everything you did, and if that didn’t work, we would have gone straight for a re-image. Since this is probably not an option in your case, I’m not really sure what to tell you to fix it. Do you have the Windows CD and all your program CDs? If so, you could back up your files to an external HD and reinstal Windows and your programs.
To keep spyware/adware/malware off, we would use SpywareBlaster http://www.download.com/SpywareBlaster/3000-8022-10305680.html?tag=lst-0-1 Also, be sure to keep up with Windows Updates. After you install, restart and go back to check for more. Some updates trigger more updates. You might also want to bump up your IE security settings. Last, the best way to prevent this stuff is to simply be careful of what you are clicking on and what sites you go to. Anything from C2 media or Gator Corporation while you are online is bad for your comp. Anything that says “Your computer may be infected with spyware” is bad for your comp. A lot of times they will have popups that look like they are real Windows message boxes. Be careful and pay close attention to what the cursor looks like. A pointing finger is a linked popup, not a real message.
You also may want to try Google toolbar with popup blocker since many popups lead to spyware. While some say the toolbar itself is “spyware” because it reports back the sites you go to (for category listings and rankings and the such) and it updates itself automatically, it does nothing harmful to the computer, performance, or security and it is made by a reputable company. I have found the Google toolbar to be the ONLY safe search toolbar to have installed. I have used it for over 2 years with much success and no problems.
If you run Hijack This! and paste the log here, I can probably help you get rid of all the junk. It’s one of the most useful tools I have ever used, but can cause some problems if you don’t know what you’re deleting. I’ve become the computer guy for my dorm’s floor so I’ve been the one to disinfect people’s computers and get rid of spyware. It’s getting annoying
I’m assuming the toolbar you’re referring to shows up in IE, so here’s a way around it…go into control panel, internet options…and go to the advanced tab. Look for the “Enable 3rd Party Browser Extensions” option and get rid of the check mark in it, then close out all IE windows and restart the computer. That should at least help the toolbar from doing anything, even if you can’t get rid of it…
For pop-ups… Downloading the Google toolbar helps. It’s one more line on your IE window bar, but it prevents lots of pop-ups from coming over the internet.
It’s not 100% effective, but looking at my google toolbar now, I have 1811 pop-ups that were blocked since I installed this toolbar and I have only had it since maybe march or april.
I don’t see why more people use them…they have pop-up blockers, tabbed browsing, a lot more features than IE, and they don’t allow a lot of the spyware that comes through with IE.
I’ve dealt with every form of spyware under the sun, from simple hosts file redirections to junkware replacing winsock DLL files, to browser hijackers and keyloggers. What you have here is a combo BHO (Browser Helper Object), and Toolbar. The first step to revival is to download HijackThis. Open it up, and click “Scan.” As others have suggested, click “Save Log”, open up that file, and copy/paste the results here for us to examine. Otherwise, in the checklist that comes up, check off anything that says BHO and Toolbar, and click “Fix Checked.” It might warn you that you must close all IE windows for a BHO to be removed, so you’ll want everything closed except HijackThis when you do that. After it’s all set, try opening up IE, and see if it’s gone. If it’s still there, we’ll have a look at the log file, and suggest some registry changes to manually remove the bugger. (I’ve noticed HijackThis can and does effectively remove toolbars from HKEY_LOCAL_MACHINE but not from HKEY_CURRENT_USER, and often I have to remove toolbar entries from there manually).
Thanks, for all the help so far, but alas my problem is not fixed. I’m missing MSVBVM60.dll, so I can’t run Hijack this. If you know of a reliable site that I can download a copy from, please post a link. The problem with this toolbar is that it doesn’t show up in the processes list (In Windows 98, ctrl+alt+del doesn’t bring up a complete list), and every time I turn on the internet, it trys to download all the malware again (reconfigured the firewall, so it catches most of it now at least). On the upside, I found another piece of the junk (“Abetterinternet.exe”), so as I write this list of junk, hopefully I’ll eventually find the master program and nab it.
The using a different browser option actually sounds nice, but like I said, I’m really not good around computers, and I wouldn’t know how to do that either or what would happen (like, does Norton AV configured for IE need to be redone?, etc…)
And trust me, the “Don’t click that flashing prize window”…my little brother is never going to hear the end of this. (what type of seventh-grader goes to rumandmonkey.com anyways?).
All said, I wish I could buy a G5. or maybe install RedHat…not while the parents buy the computers though.
Thanks for all the help, keep it up! Michael Greenley, Team 341
P.S. The parent site for that is a scam that tries to download more malware from what I’ve gathered from reading other forums from google (which operates at my level of computer know-how)
P.P.S. something new (and not good) that started happening is that text is parsed into “Sponsored Links”…great. Like I didn’t need this type of stress before the season starts (approx. 129 days until robot ship date and counting).
Logfile of HijackThis v1.97.7
Scan saved at 7:57:58 PM, on 10/7/04
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)
Ok, I’m double posting becuase I wanted a definite way to distinguish between my typing and the log. I’m pretty about some of these things being malware realated, but I’m not sure about everything. Anyways, I would like to thank everyone involved in this for helping me out! You all have no idea how thankfull I am (Stop by our pits at a competition, ask for the pit captain; I’d like to shake all of your hands) (Or I might visit your pits myself). Anyways, keep up the good work, and thanks in advance!
The B2S and Monitor.exe are both not good. QT and Real aren’t really bad… they’re just useless. Actually, Real is probably bad. Nothing wrong with QT, just useless http://www.windowsstartup.com/wso/browse.php is the site I use for figuring out what the programs are. Usually tells if you if they’re malicious or not. There are more things in that log you can safely remove… and if you read it, you should be able to figure out what they do.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/sidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/sidesearch.html
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O2 - BHO: (no name) - {08227B4B-54FE-4C4D-809F-BCA46292FC5B} - (no file)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\SYSTEM\WINB2S32.DLL
O4 - HKLM…\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM…\Run: [Watch Dog Program] C:\COMPAQ\INTERNET\WATCHDOG.EXE
O4 - HKLM…\Run: [QuickTime Task] “C:\WINDOWS\SYSTEM\QTTASK.EXE” -atboottime
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\RunServices: [HC Reminder] hc.exe
O4 - HKLM…\RunServices: [EncMonitor] C:\Program Files\Encompass\Monitor.exe
O4 - Startup: BackWeb.LNK = C:\CPQS\BackWeb\Program\UserProf.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra ‘Tools’ menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/...ector/swdir.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.c…8030.3408101852
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/206260c...ip/RdxIE601.cab
Looks like the major problems are definitely the BHOs and Toolbars. Clean all that stuff out, and let us know how it goes. (I know there’s still a lot of stuff in this list that’s technically alright, but there’s no harm in removing them anyway, better safe than re-infected Besides, removing the extra buttons can decrease IE load time, and the DPF’s (IE plugins/activex- shockwave, quicktime, windows update, etc.) will reinstall themselves as you need them.
Wow, problem solved (unless there’s something that HJT missed or something), thanks to everyone that helped out! (If there’s a quick way to check if everythings gone, do tell). I didn’t even realize half of the stuff on the computer was on the computer…
Anyways, thanks a million (or three-hundred and forty-one) times over,
Michael Greenley, Pit Capt. / Crate Guy, Team 341