Begin2Search IE6 Browser hijack!!

[Monty]

My IE6 browser keeps getting re-diretced by a subtle registry change to
strange porn sites. I have tried everything in terms of spyware
detectors/deleters such as AdAware, Spybot, Spyware Doctor even used
Trend Micros dedicated spyware software. Trend identifies the offending
Begin2Search, deletes it but somehow it comes back and starts
re-directing my browser again.
Does anyone have any idea how to get rid of this Begin2Search
spyware/malware ONCE AND FOR ALL?

Thanks in advance!

 

[DL]

Been browsing have we?!

Tried removing in safe mode?
You will likely have to turn off sys restore and turn back on once the
trojan is gone.
http://www.symantec.com/avcenter/venc/data/adware.begin2search.html

 

[Malke]

My IE6 browser keeps getting re-diretced by a subtle registry change
to strange porn sites. I have tried everything in terms of spyware
detectors/deleters such as AdAware, Spybot, Spyware Doctor even used
Trend Micros dedicated spyware software. Trend identifies the
offending Begin2Search, deletes it but somehow it comes back and
starts re-directing my browser again.
Does anyone have any idea how to get rid of this Begin2Search
spyware/malware ONCE AND FOR ALL?

Thanks in advance!

Run HijackThis and post your log in one of the specialty forums below
(not here, please):

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

 

[Carey Frisch [MVP]]

Begin2Search Description and Removal Instructions:
http://www.spywareremove.com/removeBegin2Search.html

Install Windows Defender
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Note: The latest Windows Defender spyware definitions are
available for installation from the Microsoft Update web site.

--
Carey Frisch
Microsoft MVP
Windows - Shell/User
Microsoft Community Newsgroups
news://msnews.microsoft.com/

---------------------------------------------------------------------------­----------------

:

| My IE6 browser keeps getting re-diretced by a subtle registry change to
| strange porn sites. I have tried everything in terms of spyware
| detectors/deleters such as AdAware, Spybot, Spyware Doctor even used
| Trend Micros dedicated spyware software. Trend identifies the offending
| Begin2Search, deletes it but somehow it comes back and starts
| re-directing my browser again.
| Does anyone have any idea how to get rid of this Begin2Search
| spyware/malware ONCE AND FOR ALL?
|
| Thanks in advance!

 

[tlviewer]

My IE6 browser keeps getting re-diretced by a subtle registry change to
strange porn sites. I have tried everything in terms of spyware
detectors/deleters such as AdAware, Spybot, Spyware Doctor even used
Trend Micros dedicated spyware software. Trend identifies the offending
Begin2Search, deletes it but somehow it comes back and starts
re-directing my browser again.
Does anyone have any idea how to get rid of this Begin2Search
spyware/malware ONCE AND FOR ALL?

Thanks in advance!

Monty,

I cleaned Begin2Search from a WinXP machine recently. The Symantec site
http://www.symantec.com/avcenter/venc/data/adware.begin2search.html

has what looks like a good recipe. I would add one more vital step which
they don't mention. Before you go to the tedious step of manually deleting
registry keys and values, go ahead and locate the BHO dll, named as
%system%\ns<randomstring>.DLL

then do
/start
/run
regsvr32 /u <path-to-DLL>

this will remove most (but not all) the keys mentioned by Symantec.

When I looked at the key
hkcu\software\ns<randomstring>.dll

there were literally MBytes & MBytes of text written there. You will need to
delete that key manually.

regards,
tlviewer

 

[Monty]

But I have found NONE of the .dll, .dat files etc that Symantec insists
are present if you have Begin2Search/ILook infiltration.
I see the 2 listings in regedit for Begin2Search but no amount of right
clicking, copying keys etc seems to reveal a .dll file associated with
it?
How do I as you put it "go ahead and locate the BHO dll, named as
%system%\ns<randomstring>.DLL "??
It's got to be one little registry string ssomewhere that is reeking
all this havoc.
I would love to personally punish the author of this malicious scumbag
malware!

 

[tlviewer]

But I have found NONE of the .dll, .dat files etc that Symantec insists
are present if you have Begin2Search/ILook infiltration.
I see the 2 listings in regedit for Begin2Search but no amount of right
clicking, copying keys etc seems to reveal a .dll file associated with
it?
How do I as you put it "go ahead and locate the BHO dll, named as
%system%\ns<randomstring>.DLL "??

On WinXP, I found the DLL here
c:\windows\system32\nsf1.dll

then I did
/start menu
/run
regsvr32 /u
c:\windows\system32\nsf1.dll

after that I went to
hkcu\software\nsf1.dll
and deleted this key

It's got to be one little registry string ssomewhere that is reeking
all this havoc.

It's a BHO (Browser Helper Object). To register a BHO requires a lot
more than "one little registry string"

When it was installed, nsf1.dll has all the registry entries carried in it
as a resource and
they are automatically used.

Your DLL may be named slightly different.

I would love to personally punish the author of this malicious scumbag
malware!

Use Linux/Firefox instead.

regards,
tlviewer

 

[Monty]

tlviewer:
Well I dont see ANY of the .dll files that either you OR the Symantec
site suggest for trqacking down this mf malware.
You wrote: "Your DLL may be named slightly different."
So, in the absense of knowing what the f... .dll I'm looking for; are
you suggesting going thru the entire Windows/System32 registry right
clicking Properties for EACH .dll in order to ascertain the source of
this Begin2Search malware?? Whew I think IE just lost another customer
to FF.
Thanks for you rigorous attempt to help me solve this problem.

 

[Plato]

My IE6 browser keeps getting re-diretced by a subtle registry change to
strange porn sites. I have tried everything in terms of spyware

In the future, do NOT visit porn sites with your main PC. And if using
AIM, do NOT click on messages that say:
"Check this file out". Even if from a "friend" aka buddy.