help!

Unknown

ok i need some help please. i dont know what virus this is, but i try to click on a link [like for someone's livejournal link in their profile] and it doesnt work. some other pop-up comes up. and when i do get on websites, some of the words are highlighted orange and are a link to somewhere. i dont know what is going on, help!

LanLord

This may not be a virus. More info is needed. What browser are you using? What version is it? If I understand the problem you are having, basicly you click a link and it takes you to a completly different website? If so, I've seen this before with one of my users caused by having several ad-ons in their IE web browser. If you are using IE, I would uninstall any search bars you have installed or anything like that and that may resolve the problem. However, I found one search bar I couldn't uninstall. In that case, download firefox (better browser anyway) and either use firefox (recomended for most internet use), or completely uninstall IE and use firefox to download a fresh copy. This is only a guess really, need to know more about your browser before I can say for certain.

Kwitko

Give this thread a look. Run Ad-Aware and Spybot, then post a HiJackThis log back here.

batheinmysnot1

hm..i may sound kind of stupid, but i dont know what browser im using...also, ive ran spybot and HTJ multiple times already, i just dont know what to delete on HTJ

my HTJ log:

Logfile of HijackThis v1.97.7
Scan saved at 11:36:26 AM, on 7/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\nfegpfto.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Emily\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DAE3153-C119-50B5-845A-655508A22742} - C:\WINDOWS\System32\nefr.dll
O2 - BHO: (no name) - {42FD3E00-921A-02E2-845A-655508A22746} - C:\WINDOWS\System32\jbtx.dll
O2 - BHO: (no name) - {4CAF310D-9610-01E9-815E-655508A27B40} - C:\WINDOWS\System32\jdiiupa.dll
O2 - BHO: (no name) - {4CF96154-C343-53EE-855E-655508A27B46} - C:\WINDOWS\System32\bja.dll
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [] C:\WINDOWS\System32\
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite K++\kpp.exe" "C:\Program Files\Kazaa Lite K++\KazaaLite.kpp" /SYSTRAY
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Hlkrf] C:\WINDOWS\System32\nfegpfto.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Emily\Application Data\DownloadPlus.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020713/qtinstall.info.apple.com/samantha/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/09ecbb17929bdf3e2305/netzip/RdxIE2.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

thanks

LanLord

Remember I said, "I would uninstall any search bars." My guess was that you had installed, perhaps by accident, a search bar into your browser (which is Internet explorer), and look here:

O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll

I'm not as familiar with HJT as I would like to be, I only started playing with it yesterday. From what I can tell it takes out registry keys and startup processes, but I'm not sure if it cleans anything else, my guess is no. So to be sure you clean your system try this:

1. Go to the control panel
2. Double click add/remove programs
3. look for a program that is called something like Begin2Search.com Bar
4. select this program from the list
5. Click the remove button
(look for other search bars and remove them as well)
6. Run HJT
7. Remove line:

O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll

if it still exists.


Also I'm a bit of a paranoid and this is overkill perhaps, but when posting a log I would omit lines like:
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\Emily\Application Data\DownloadPlus.exe
C:\Documents and Settings\Emily\Desktop\HijackThis.exe

See where it says Emily? That's a username on your computer, I'll bet it's yours (or a family member), but more importantly I'll bet it has administrator privileges. I would be cautious about posting such information on a public forum. Whereas there may not be to many hackers interested in your computer, they might become interested when they see that you have MS money running on your computer meaning that there's a good chance you have personal finance records stored on this machine, and they are already half way there now that they have your username. Thankfully, this log doesn't show machine specific information such as a macaddresses or ipaddress which would allow someone to find your machine, but to me it's just one of those things to always try to stay on the safe side by being as anonymous as possible.

batheinmysnot1

hm, no it wasnt ehere, but i ran spybot again, and i think i got rid of it this time. thanks!!!

Revivalist

Hi everyone. I had a similar problem with the Begin2Search toolbar and after spending a couple hours with Spy scanners I finally discovered that there is actually a pretty easy way to fix it. Here's how:

1. Go to the Begin2Search website. (You can do that by just clicking on "search" in the Begin2Search toolbar or by typing "Begin2Search" in Google.)

2. There is a link called "Uninstall toolbar." Click on it and run the application. That's it! Pretty easy, isn't?

Nathan

Dexter

Revivalist wrote:

Hi everyone. I had a similar problem with the Begin2Search toolbar and after spending a couple hours with Spy scanners I finally discovered that there is actually a pretty easy way to fix it. Here's how:

1. Go to the Begin2Search website. (You can do that by just clicking on "search" in the Begin2Search toolbar or by typing "Begin2Search" in Google.)

2. There is a link called "Uninstall toolbar." Click on it and run the application. That's it! Pretty easy, isn't?

Nathan

Not always....many adware / hijack problems provide uninstallers, but they are not always legit. Many will "break" your Internet Explorer, telling you that you cannot run IE until you re-install their scumware. Others will uninstall the applications temporarily, leaving behind a "time-bomb" re-installer. Don't trust uninstallers from these companies, most of them had no conscience about installing on your computer without permission in the first place, why would they care about pulling tricks like those?

Dexter...