please help!! begin2search problem....

Nia777 · 09-19-2004, 03:48 PM

hi! i would really, really, really be happy if somebody could help me get rid of this begin2search thing, and whatever else has piggybacked onto my computer through that or...whatever. i don't know what i'm talking about, that's why i need help badly.
i've got adaware SE, and i downloaded spybot, but this stuff is one of those masses of crud that are consistently respawning. there are popups, and the begin2search toolbar, and links right in the middle of text where there should definitely not be links....
here is my log, whenever somebody could get to it, i would, like i said, be really, really, really happy.

Logfile of HijackThis v1.97.7
Scan saved at 5:40:11 PM, on 9/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\goidr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\System32\qdqxhmpg.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Documents and Settings\robin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINNT\jawa32.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
O4 - HKLM\..\Run: [alebysufbf] C:\WINNT\System32\qdqxhmpg.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Jawa32] C:\WINNT\jawa32.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O4 - Startup: Download Plus.lnk = C:\Documents and Settings\robin\Application Data\DownloadPlus.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/engli...layerAxWin.cab

thank you so much!!!
--nia

Nia777 · 09-20-2004, 10:10 AM

hi, i'm just getting this replied to so maybe someone will see it....i could really use some help!
thanks!!!
--nia

elf · 09-20-2004, 10:42 AM

hey Nia, I had this exact same problem (probably from the same program...what program gave you this problem?)

I'm not going to attempt to instruct you on how to fix it, as I am still not confident in the fact that it is clean. If you have what I think you have, there should be 2 .exe's running in the background. They are hidden files if you try to find them. Adaware will find them, but will freeze in trying to remove them (any attempt at deleting them manually will freeze explorer.exe), and when booting into safe mode they delete themselves only to return when you go back to normal under a different name. Nasty little virus. (I haven't removed the virus I don't think but I stopped it from starting by removing it from msconfig)

Nia777 · 09-20-2004, 12:31 PM

hey elf! i was actually coming here to just alert whoever might decide to help that i had found a friend who gave me instructions on what to do--i think i've ended up doing the same thing as you, like a human virus. it's still there, but it's not bothering me any.
and the thing is, i have no idea how i got this thing! i haven't gone to any new sites lately, much less downloaded anything except music...i mean, not really. i don't download music. :)
anyway, i hope both of us cease to be screwed with by begin-2-search--oop, except-when-we-fry-your-system-with-our-worthless-ads-and-even-more-useless-links. gee, thanks google!
good luck, elf!
nia

greyknight17 · 09-21-2004, 11:56 AM

Go to the bottom of this message to get the latest version of HijackThis. If the site is down, you can also get it here.

Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up).

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINNT\goidr.exe
C:\WINNT\System32\qdqxhmpg.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\Program Files\Web_Rebates\WebRebates0.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WebRebates
VBouncer
TV Media
MyDailyHoroscope
WebOffer
MaxSpeed
AdDestroyer - it’s rogueware and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection.

Check and fix the following in HijackThis if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing)
O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe
O4 - HKLM\..\Run: [Jawa32] C:\WINNT\jawa32.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe
O4 - HKLM\..\Run: [alebysufbf] C:\WINNT\System32\qdqxhmpg.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE
O4 - HKCU\..\Run: [Jawa32] C:\WINNT\jawa32.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\goidr.exe
C:\WINNT\System32\qdqxhmpg.exe
C:\PROGRA~1\Web Offer\
C:\Program Files\Web_Rebates\
C:\PROGRA~1\VBouncer\
C:\Program Files\TV Media\
C:\PROGRA~1\MYDAIL~1\
C:\Program Files\AdDestroyer\

Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED.

Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean.

To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided.

09-19-2004, 03:48 PM	#1 (permalink)
Nia777 Registered User Join Date: Sep 2004 Posts: 3 OS: WinXP	please help!! begin2search problem.... hi! i would really, really, really be happy if somebody could help me get rid of this begin2search thing, and whatever else has piggybacked onto my computer through that or...whatever. i don't know what i'm talking about, that's why i need help badly. i've got adaware SE, and i downloaded spybot, but this stuff is one of those masses of crud that are consistently respawning. there are popups, and the begin2search toolbar, and links right in the middle of text where there should definitely not be links.... here is my log, whenever somebody could get to it, i would, like i said, be really, really, really happy. Logfile of HijackThis v1.97.7 Scan saved at 5:40:11 PM, on 9/19/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\nvsvc32.exe C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS C:\WINNT\System32\svchost.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINNT\GWMDMMSG.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINNT\goidr.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINNT\System32\qdqxhmpg.exe C:\PROGRA~1\Web Offer\wo.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\Web_Rebates\WebRebates0.exe C:\Documents and Settings\robin\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.wikipedia.org/wiki/Main_Page R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://go.microsoft.com/fwlink/?LinkId=488 R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing) O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing) O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check" O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BurnQuick Queue] C:\WINNT\BQTray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe O4 - HKLM\..\Run: [Jawa32] C:\WINNT\jawa32.exe O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe O4 - HKLM\..\Run: [alebysufbf] C:\WINNT\System32\qdqxhmpg.exe O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE O4 - HKCU\..\Run: [Jawa32] C:\WINNT\jawa32.exe O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O4 - Startup: Download Plus.lnk = C:\Documents and Settings\robin\Application Data\DownloadPlus.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O16 - DPF: {D6016EE7-A8FF-11D1-B37E-A4759ECD7909} (AxPulse Class) - http://www.pulse3d.com/players/engli...layerAxWin.cab thank you so much!!! --nia

09-20-2004, 10:10 AM	#2 (permalink)
Nia777 Registered User Join Date: Sep 2004 Posts: 3 OS: WinXP	bumping hi, i'm just getting this replied to so maybe someone will see it....i could really use some help! thanks!!! --nia

09-20-2004, 10:42 AM	#3 (permalink)
elf Assistant Manager, Microsoft Support Join Date: Jul 2002 Location: Knoxville, TN or Austin, TX depending Posts: 6,184 OS: WinXP Pro SP2 and Slackware 10.1 My System	hey Nia, I had this exact same problem (probably from the same program...what program gave you this problem?) I'm not going to attempt to instruct you on how to fix it, as I am still not confident in the fact that it is clean. If you have what I think you have, there should be 2 .exe's running in the background. They are hidden files if you try to find them. Adaware will find them, but will freeze in trying to remove them (any attempt at deleting them manually will freeze explorer.exe), and when booting into safe mode they delete themselves only to return when you go back to normal under a different name. Nasty little virus. (I haven't removed the virus I don't think but I stopped it from starting by removing it from msconfig) __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! I do not subscribe to threads, so if I stop replying, PM me with a link to your thread so I can find it again.

09-21-2004, 11:56 AM	#5 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Go to the bottom of this message to get the latest version of HijackThis. If the site is down, you can also get it here. Please print out or copy this page to Notepad. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\WINNT\goidr.exe C:\WINNT\System32\qdqxhmpg.exe C:\PROGRA~1\Web Offer\wo.exe C:\Program Files\Web_Rebates\WebRebates1.exe C:\Program Files\Web_Rebates\WebRebates0.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: WebRebates VBouncer TV Media MyDailyHoroscope WebOffer MaxSpeed AdDestroyer - it’s rogueware and we highly recommend that you uninstall it. Rogue/Suspect means that these products are of unknown, questionable, or dubious value as anti-spyware protection. Check and fix the following in HijackThis if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q= R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll (file missing) O2 - BHO: (no name) - SOFTWARE - (no file) O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file) O2 - BHO: (no name) - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINNT\multimpp.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll (file missing) O2 - BHO: ohb - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINNT\SYSTEM32\winb2s32.dll O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINNT\SYSTEM32\winb2s32.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe" O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe O4 - HKLM\..\Run: [goidr] C:\WINNT\goidr.exe O4 - HKLM\..\Run: [Jawa32] C:\WINNT\jawa32.exe O4 - HKLM\..\Run: [intdctrr] C:\WINNT\System32\idctup20.exe O4 - HKLM\..\Run: [alebysufbf] C:\WINNT\System32\qdqxhmpg.exe O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKLM\..\Run: [conscorr] C:\WINNT\conscorr.exe O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe O4 - HKCU\..\Run: [MyDailyHoroscope] C:\PROGRA~1\MYDAIL~1\MYDAIL~1.EXE O4 - HKCU\..\Run: [Jawa32] C:\WINNT\jawa32.exe O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\goidr.exe C:\WINNT\System32\qdqxhmpg.exe C:\PROGRA~1\Web Offer\ C:\Program Files\Web_Rebates\ C:\PROGRA~1\VBouncer\ C:\Program Files\TV Media\ C:\PROGRA~1\MYDAIL~1\ C:\Program Files\AdDestroyer\ Also delete ALL those EXE and DLL files (in their corresponding directory) listed above in RED. Reboot into Normal Mode and post a new HijackThis log file so we can make sure it's clean. To help prevent future spyware installations/infections, please read my anti-spyware section and use the tools provided. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

09-20-2004, 12:31 PM	#4 (permalink)
Nia777 Registered User Join Date: Sep 2004 Posts: 3 OS: WinXP	hey elf! i was actually coming here to just alert whoever might decide to help that i had found a friend who gave me instructions on what to do--i think i've ended up doing the same thing as you, like a human virus. it's still there, but it's not bothering me any. and the thing is, i have no idea how i got this thing! i haven't gone to any new sites lately, much less downloaded anything except music...i mean, not really. i don't download music. :) anyway, i hope both of us cease to be screwed with by begin-2-search--oop, except-when-we-fry-your-system-with-our-worthless-ads-and-even-more-useless-links. gee, thanks google! good luck, elf! nia