Google Search Pop Under?

[stupdasso]

Hey all, try and figure this one out. I haven't downloaded anything, who knows about my son, and I have tried using Spybot and Ad-Aware to fix this problem. I have also ran my antivirus software program and found nothing. I am using IE 6 on a WinXp Professional system and the problem just started a few day's ago. Ok here's is the problem. When I go to Google to try to search for something I get a Pop-Under that takes me to Lycos' search engine when I hit enter or click to find what I am looking for. It still let's me search on Google but that annoying :'( Pop-Under show's up. It doesn't happen every time I do a search but maybe 3 out of 6 times it does it. I have also looked to see if there is an unknown program running in the background by using Windows Task Manager and have seen nothing out of the abnormal. I am also using the Google Toolbar and the Google Deskbar. If anyone can offer any help I would GREATLY appreciate it. Thanks in advance.Dan :'(

[Ed_P]

Wow, it sure sounds like an IE hijack but Lycos isn't the type of service to do that. And you've already run Adaware and SpyBot which didn't show it.Do you have a Lycos Toolbar installed also? Two places to look would be:the IE>blank menu area>RIGHT click, the menu of IE display options should appear,the Start>Control Panel>Add or Remove programs> should show if anything Lycos related is installed.

[stupdasso]

Hey Ed,Thanks for the quick reply. No I just looked under add remove and found nothing about Lycos or any componets that might relate to a search bar. I dont have their search bar installed. What do you think about going to Lycos.com and installing their toolbar and then uninstalling it to see if that takes care of the problem? Hmmm maybe? :'(

[nilson]

http://www.mozilla.org/

[striker]

Hello Dan,Try googling : "pop under+lycos search engine" and you'll be amazed what you' ve get as results. One of these is what you described, see http://www.computercops.biz/article2032.html . Maybe this can steer you in the right direction? ( something "gator - ized" installed??? )

[SonicDragon]

Aha! Interesting. I guess spybot and adware have stopped searching for Gator.(Gater has tried everyhting -- taking legal action against spyware scanners, changing their name etc... maybe it worked :'( )

[epp_b]

http://www.mozilla.org/

:'( :'( :'( stupdasso, I know for a fact that Google has a "no pop-up" policy for their website. I would tend to agree with EdP on all counts. I don't think installing a Lycos toolbar and uninstalling it would help (ie.: it's probably not Lycos that's doing this). Is the popup you get always Lycos, and is it their homepage?Also, try looking through your processes and services list in the task manager. Maybe you could try disabling one-by-one and seeing if it helps -- that or just sequencially disable the ones for which you don't know their origin (ie.: iexplore.exe is Internet Explorer, so you woudn't bother disabling that process/task)

[striker]

Maybe this :http://groups.google.com/groups?hl=en&lr=&...%3DN%26tab%3Dwg... will help you to see where to start looking for and what to do.Another link I found was at :http://inetexplorer.mvps.org/answers4.htm#...m#search_engine

[GolfProRM]

My suggestion would be to download and run HiJackThis! and post the scan log here so we can see if anything is hijacking your system. :'(

[LoneWolfMage]

how bout the advanced settings for Ad Aware Scans found here ( sorry for the cross board post but i dotn see a refrence guide available for Ad- Aware) then basically deleting the EVERYTHING it finds in that scan .. then REBOOT your system and try gain if you have done that AND a virus scan then disregard this message LOL :)just trying to help :)Lone Wolf

[epp_b]

My suggestion would be to download and run HiJackThis! and post the scan log here so we can see if anything is hijacking your system. :'(

Good suggestion GolfProRM - I should have thought of it myself :'(

[stupdasso]

My suggestion would be to download and run HiJackThis! and post the scan log here so we can see if anything is hijacking your system.

Hey All thanks for all the replies!!! What a great forum this is. GolfProRM here is the log from HijackThis. I may see a few things that might come into play with my problem. I am not to sure though. I did check out what Stiker said but it didn't really lead me to anywhere where I could solve the problem. I am almost positive I don't have any Gator CR** on my computer so I don't think it is Gator. And yes epp b it is always Lycos that comes up but no it is not their home page. It comes up with results for whatever I was searching for in Google on the Lycos pop-under. Again thanks for all of your guys' help and suggestions. I hope I can get this figured out.DanP.s.- After sometime of investigating and screen captures I found something that was redirecting the pop under. It was quickly switching from http://www.searchreslt.com to http://www.lycos.com. Look in the log I posted and let me know if the bold highlighted area means anything to anyone. I suspect that may be my problem? Logfile of HijackThis v1.97.7Scan saved at 8:31:09 PM, on 6/26/2004Platform: Windows XP SP1 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\System32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeD:\PROGRA~1\Grisoft\AVG6\avgserv.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Task Bar Clock 2\tclock2.exeD:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXED:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\WINDOWS\SYSTEM32\ZONELABS\VSMON.EXEC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Settings\Daniel Cancino\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Browser, NOT Yours!R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htmR3 - Default URLSearchHook is missingF0 - system.ini: Shell=F2 - REG:system.ini: Shell=O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.comO2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dllO2 - BHO: (no name) - {90E34F98-E3E6-4CD7-A592-E964FED8AF78} - (no file)O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dllO2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dllO3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dllO4 - HKLM\..\Run: [systemTray] SysTray.ExeO4 - HKLM\..\Run: [AVG_CC] D:\Program Files\Grisoft\AVG6\avgcc32.exe /startupO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [n9qOvLWsG] C:\documents and settings\master jvc\local settings\temp\n9qOvLWsG.exeO4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [n9qOvLWsG.exe] C:\documents and settings\master jvc\local settings\temp\n9qOvLWsG.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1O4 - Startup: TClock.lnk = C:\Task Bar Clock 2\tclock2.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel presentO8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htmO8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htmO8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htmO8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htmO8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.htmlO8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htmO8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htmO8 - Extra context menu item: Send Image to Photo Library - file://C:\Program Files\Photo Slam\Temp\MGI00000.htmlO8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.htmlO8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htmO8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htmO9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)O9 - Extra button: ICQ Pro (HKLM)O9 - Extra 'Tools' menuitem: ICQ (HKLM)O9 - Extra 'Tools' menuitem: Add to R&estricted Zone (HKLM)O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone (HKLM)O9 - Extra button: Wallpaper (HKLM)O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper (HKLM)O9 - Extra button: Offline (HKLM)O9 - Extra button: WeatherBug (HKCU)O9 - Extra 'Tools' menuitem: &Lock folders (HKCU)O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dllO12 - Plugin for .mts: C:\Program Files\MetaCreations\MetaStream\npmetastream.dllO12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dllO12 - Plugin for .vdo: C:\PROGRA~1\INTERN~1\PLUGINS\NPVDO32.DLLO13 - WWW. Prefix: http://O16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cabO16 - DPF: Serome Web2Phone - http://64.14.212.30/applet/vscp.cabO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clie...ts/y/grt5_x.cabO16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon.../cx_tgctlcm.jspO16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://a1440.g.akamaitech.net/7/1440/291/0...everContent.cabO16 - DPF: {01356F5E-C352-11D1-B179-0000F87572D1} (MS Home Publishing Checker) - http://pictureit.msn.com/Webstore/Controls/MHPWSIE.CABO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cabO16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://164.109.144.182/MTSInstallers/MetaStream3.cabO16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/s...119/CTSUEng.cabO16 - DPF: {0D6451B3-FDDA-11D3-BFEC-00D0B725EB0B} (Yahoo! Vision) - http://download.yahoo.com/dl/fv/yv.cabO16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cabO16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - https://eagent.farmersinsurance.com/PLA/eAg...ctiveX/smsx.cabO16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cabO16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...?rand=200341112O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedCon...bin/AvSniff.cabO16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cabO16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cabO16 - DPF: {3AF4DACE-36ED-42EF-9DFC-ADC34DA30CFF} (PatchInstaller.Installer) - file://F:\content\include\XPPatchInstaller.CABO16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/c...ontent/opuc.cabO16 - DPF: {483912CF-8995-4434-AD61-6163756E05DF} (AXTNS Control) - http://download.livemath.com/activex/AXTNS.ocxO16 - DPF: {50F65670-1729-11D2-A51F-0020AFE5D502} (ForumChat) - http://objects.compuserve.com/chat/RTCChat.cabO16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/common/s...py/iesnoopy.cabO16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/240e8cf10274dc...ip/RdxIE601.cabO16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocxO16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cabO16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cabO16 - DPF: {73020B72-CDD6-4F80-8098-1B2ECD9CA4CA} (HearMe VoiceCREATOR) - http://vp.hearme.com/products/vp/embedded/...plugins/evp.cabO16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cabO16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cabO16 - DPF: {8A8F3D75-6564-4599-A7DC-313B43A89E1D} (AdInstaller Control) - http://www.movies.net.cn/digital/AdInstaller.ocxO16 - DPF: {8B1BC605-C593-4865-8F5B-05517F0CD0BB} (MSSecurityAdvisorCD Class) - file://F:\Content\include\msSecUcd.cabO16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.microsoft.com/controls/mtsw...izards/sw35.cabO16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cabO16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7862.9715856481O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cabO16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls.../20/SassCln.CABO16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver...iker/wtinst.cabO16 - DPF: {ABE92375-8159-4759-A4B2-BF29E11CAAC3} (HearMe Microphone Configuration Wizard) - http://www.hearme.com/products/vp/config/p...gins/evpcfg.cabO16 - DPF: {B8F2846E-CE36-11D0-AC83-00C04FD97575} - http://activex.microsoft.com/activex/contr...nt2/tv_enua.exeO16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cabO16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork.com/orb.../ie/orbiter.cabO16 - DPF: {CA797B15-445F-4AA9-9828-8A88502F560F} (Uninstall Control) - http://www.worldwinner.com/games/shared/uninstall.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shock...ash/swflash.cabO16 - DPF: {D702FBF4-EE60-11D0-BD5B-00A0C91F4635} (CFForm Runtime) - http://www.chargers.com/CFIDE/classes/CFJava.cabO16 - DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} (CTAdjust Class) - http://download.microsoft.com/download/Typ...US/clearadj.cabO16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...370/mcfscan.cabO16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/s...12119/CTPID.cabO16 - DPF: {F8F88D0D-E455-11D6-B547-00400555C7FB} (DiskHealth2 Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CABO16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

[striker]

Dan,Is your problem solved?Any new insights?

[GolfProRM]

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer,Default_Search_URL = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.w50.com/sw/searchbar/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Browser, NOT Yours!O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.comO2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dllO2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dllO3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dllO4 - HKLM\..\Run: [n9qOvLWsG] C:\documents and settings\master jvc\local settings\temp\n9qOvLWsG.exeO4 - HKLM\..\Run: [bakra] C:\WINDOWS\System32\IEHost.exeO4 - HKLM\..\Run: [n9qOvLWsG.exe] C:\documents and settings\master jvc\local settings\temp\n9qOvLWsG.exeO16 - DPF: Dialpad Java Applet - http://www.dialpad.com/applet/src/vscp.cabO16 - DPF: Serome Web2Phone - http://64.14.212.30/applet/vscp.cabO16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clie...ts/y/grt5_x.cab

This is the stuff that catches my eye, but I would like someone else here to verify this.

[Guest Paracelsus]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = My Browser, NOT Yours!

Sorry I don't have any answers to the intial problem...But I do Love the above Evidently... Someone knows where and how to find and change things in the Registry

[Ed_P]

This is the stuff that catches my eye, but I would like someone else here to verify this.

I recommend leaving the two GoogleToolbar2 items.

[stupdasso]

Hey Guys, I finally figured it out and it was exactly as I suspected. That C:\Program Files\SEP\sep.dll line that I marked in bold was the culprit. I did a search on my computer and looked for that sep.dll file. Well when I found that file it actually had an uninstall that was in there with it (thank god, otherwise I would have had to delete it manually and edit the registry). After I ran the uninstall the problem has gone away. Where I got it from is anyones guess, suspecting my son... When I tried to find out who or what company made the DLL file or the uninstall of course I came up blank. Well all I have to say is that I am glad that its out of my system and that if anyone else has the same problem they can be directed to this post. I want to thank everyone that replied on this topic and for all the suggestions. What a great place to come for help. Thanks again all! DanP.s.-Yeah Paracelsus I have a little bit of experience hacking and tweaking the Win Reg! Hehe

[trigggl]

It sounded like a BHO from the beginning.I just read on Slashdot about a new BHO that records keystrokes when logging into a bank account. OF course the article was an advertisement for a BHO scanner. Nothing sells a product quite like FUD.