1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

www2.google.com and pop up box?

Discussion in 'Virus & Other Malware Removal' started by wguido, Sep 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    When I search from the address bar, all of a sudden it goes to www2.google.com and a box like pops up, but minimizes and I cant maximize it. I ran an adaware and spybot, and it didnt find anything. Here is my hijack this scan:

    Logfile of HijackThis v1.95.0
    Scan saved at 7:09:13 PM, on 9/30/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\MSMGT.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\D-Link AirPlus\WLANMON.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis195[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast High-Speed Internet
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [SZGN] C:\WINDOWS\SZGN.exe
    O4 - HKLM\..\Run: [YFMTAHO] C:\WINDOWS\YFMTAHO.exe
    O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
    O4 - HKLM\..\Run: [WDKRYJQ] C:\WINDOWS\WDKRYJQ.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = ?
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: RemindU (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    another box keeps popping up, well minimizing itself, and it says Smiley Download, but I cant make it maximize either...
     
  3. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    You will need to have HijackThis in a convenient location, preferably in a permanent folder. You should be using a later version than the one you have:

    http://www.tomcoyote.org/hjt/

    Shutdown completely and wait about 20 seconds. On restart press f8 promptly to access the boot menu and select Safe Mode.

    1 -- In Safe Mode, run HijackThis and check and fix the following entries:

    O4 - HKLM\..\Run: [SZGN] C:\WINDOWS\SZGN.exe
    O4 - HKLM\..\Run: [YFMTAHO] C:\WINDOWS\YFMTAHO.exe
    O4 - HKLM\..\Run: [MSMGT] C:\WINDOWS\MSMGT.exe
    O4 - HKLM\..\Run: [WDKRYJQ] C:\WINDOWS\WDKRYJQ.exe

    08 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm

    ^^ unsure of this one; if you don't know what it is "fix" it.

    2 -- Run regedit and under BOTH keys HKey_Local_Machine
    and HKey_Current_User, navigate to:

    Software\Microsoft\Windows\CurrentVersion\RUNONCE

    >> Right Click on and delete in the Right Pane any entries you see but "Default"

    3 -- Make sure Show Hidden Files is selected in Folder Options > View and find and delete:

    C:\WINDOWS\SZGN.exe
    C:\WINDOWS\YFMTAHO.exe
    C:\WINDOWS\MSMGT.exe
    C:\WINDOWS\WDKRYJQ.exe

    4 -- Reboot, test for resolution and post a new Scanlog using the latest version.
     
  4. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    Logfile of HijackThis v1.97.2
    Scan saved at 8:30:05 PM, on 9/30/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\DELL\AccessDirect\dadapp.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    C:\WINDOWS\System32\hphmon04.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\Program Files\D-Link AirPlus\WLANMON.exe
    C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\svchost.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\WINDOWS\system32\drivers\dcfssvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\unzipped\hijackthis[1]\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll (disabled by BHODemon)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = ?
    O8 - Extra context menu item: RemindU - file://C:\Program Files\UpromiseRemindU\System\Temp\upromise_script0.htm
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: RemindU (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {058025FC-4416-436B-ACFD-03E6224C901C} (FileInfo Class) - http://diagnostics.support.hp.com/motivedocs/ces/aw/ipgaxctrl.cab
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} - http://activex.microsoft.com/objects/ocget.dll
    O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C1A91F-F8F1-4189-B8DA-5C9E6515C696}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DF0634-158E-4A97-9586-5F61FBADD7B9}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38



    Also, now there is a box with an exclamation point at the bottom that says MessageApp...see attached pic...wel nevermind..i cant attach a pic cuz it keeps saying plage cant be displayed everytime i try to attach it
     
  5. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    and it is still going to www2.google.com instead of msn for searching
     
  6. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Check and "fix" all these entries:

    O17 - HKLM\System\CCS\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A0C1A91F-F8F1-4189-B8DA-5C9E6515C696}: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F9DF0634-158E-4A97-9586-5F61FBADD7B9}: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS1\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 216.127.92.38
    O17 - HKLM\System\CS2\Services\Tcpip\..\windows: NameServer = 216.127.92.38
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 216.127.92.38

    You may also have to go to Internet Options > Programs Folder and click "reset web settings".

    This will set search and homepages to their OEM or in this case ISP (comcast installed) defaults. This might not be necessary, but if removing the above and rebooting afterwards doesn't help, do it.

    Also clear your Temporary Internet Cache, History and Offline caches. This is best done immediately after rebooting, from the Internet Options applet in the Control Panel, without first opening IE.
     
  7. wguido

    wguido Thread Starter

    Joined:
    Jan 16, 2003
    Messages:
    206
    what is the message app thing?
     
  8. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I have no idea. I've been seeing a few of these apparent name server hijacks lately -- all the IPs are held by "everyones internet", a legitimate internet company, but that doesn't mean the actual address is legit.

    I'm not sure I've seen a complete resolution yet, I'm hoping deleting those entries will do it, because I don't see any thing else at least from this end of the Scanlog.

    You can also post "startuplist" by clicking Config > Misc Tools, put a check in "list minor sections" and click Generate Startuplist.

    This will show configured services, although I doubt I'll see anything, it would be good to have a look.

    Could the "MessageApp" be this....

    http://216.239.41.104/search?q=cach...0303/tech_0403c.asp+MessageApp&hl=en&ie=UTF-8

    Might be one of those two Dell entries in the startups, I know I have a Dell and the first thing I did was remove all their startups, so I don't know what they do.

    Well, evidently it's not dadapp.exe ....

    http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168654

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice