www2.google.com and pop up box?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
When I search from the address bar, all of a sudden it goes to www2.google.com and a box like pops up, but minimizes and I cant maximize it. I ran an adaware and spybot, and it didnt find anything. Here is my hijack this scan:

Logfile of HijackThis v1.95.0
Scan saved at 7:09:13 PM, on 9/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\MSMGT.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis195[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [SZGN] C:\WINDOWS\SZGN.exe
O4 - HKLM\..\Run: [YFMTAHO] C:\WINDOWS\YFMTAHO.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [WDKRYJQ] C:\WINDOWS\WDKRYJQ.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: RemindU (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
another box keeps popping up, well minimizing itself, and it says Smiley Download, but I cant make it maximize either...
 
Joined
Dec 9, 2000
Messages
45,855
You will need to have HijackThis in a convenient location, preferably in a permanent folder. You should be using a later version than the one you have:

http://www.tomcoyote.org/hjt/

Shutdown completely and wait about 20 seconds. On restart press f8 promptly to access the boot menu and select Safe Mode.

1 -- In Safe Mode, run HijackThis and check and fix the following entries:

O4 - HKLM\..\Run: [SZGN] C:\WINDOWS\SZGN.exe
O4 - HKLM\..\Run: [YFMTAHO] C:\WINDOWS\YFMTAHO.exe
O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
O4 - HKLM\..\Run: [WDKRYJQ] C:\WINDOWS\WDKRYJQ.exe

08 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

^^ unsure of this one; if you don't know what it is "fix" it.

2 -- Run regedit and under BOTH keys HKey_Local_Machine
and HKey_Current_User, navigate to:

Software\Microsoft\Windows\CurrentVersion\RUNONCE

>> Right Click on and delete in the Right Pane any entries you see but "Default"

3 -- Make sure Show Hidden Files is selected in Folder Options > View and find and delete:

C:\WINDOWS\SZGN.exe
C:\WINDOWS\YFMTAHO.exe
C:\WINDOWS\MSMGT.exe
C:\WINDOWS\WDKRYJQ.exe

4 -- Reboot, test for resolution and post a new Scanlog using the latest version.
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
Logfile of HijackThis v1.97.2
Scan saved at 8:30:05 PM, on 9/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\hphmon04.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\D-Link AirPlus\WLANMON.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = ?
O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: RemindU (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://activex.microsoft.com/objects/ocget.dll
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C1A91F-F8F1-4189-B8DA-5C9E6515C696}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DF0634-158E-4A97-9586-5F61FBADD7B9}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38



Also, now there is a box with an exclamation point at the bottom that says MessageApp...see attached pic...wel nevermind..i cant attach a pic cuz it keeps saying plage cant be displayed everytime i try to attach it
 

wguido

Thread Starter
Joined
Jan 16, 2003
Messages
206
and it is still going to www2.google.com instead of msn for searching
 
Joined
Dec 9, 2000
Messages
45,855
Check and "fix" all these entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C1A91F-F8F1-4189-B8DA-5C9E6515C696}: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DF0634-158E-4A97-9586-5F61FBADD7B9}: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

You may also have to go to Internet Options > Programs Folder and click "reset web settings".

This will set search and homepages to their OEM or in this case ISP (comcast installed) defaults. This might not be necessary, but if removing the above and rebooting afterwards doesn't help, do it.

Also clear your Temporary Internet Cache, History and Offline caches. This is best done immediately after rebooting, from the Internet Options applet in the Control Panel, without first opening IE.
 
Joined
Dec 9, 2000
Messages
45,855
I have no idea. I've been seeing a few of these apparent name server hijacks lately -- all the IPs are held by "everyones internet", a legitimate internet company, but that doesn't mean the actual address is legit.

I'm not sure I've seen a complete resolution yet, I'm hoping deleting those entries will do it, because I don't see any thing else at least from this end of the Scanlog.

You can also post "startuplist" by clicking Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

This will show configured services, although I doubt I'll see anything, it would be good to have a look.

Could the "MessageApp" be this....

http://216.239.41.104/search?q=cach...0303/tech_0403c.asp+MessageApp&hl=en&ie=UTF-8

Might be one of those two Dell entries in the startups, I know I have a Dell and the first thing I did was remove all their startups, so I don't know what they do.

Well, evidently it's not dadapp.exe ....

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top