• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
kchowning

pop-ups, general slowness, unknown programs

5 posts in this topic

Fixed the problem ... see the last post for details.

 

I have been through scans using the most up-to-date AdAware and SpyBot. I have also completed a full system scan with the latest files from Norton AntiVirus. While they have eliminated several problems, I continue to have issues with the computer.

 

1) ZoneAlarm reports that 488Ioafp.exe and MvIFhGaO.exe are trying to access the Internet. I cannot find anything to identify these programs and suspect that they are not useful.

 

2) A variety of pop-ups appear ... the most often repeated is an "image" of a Windows error message asking if my computer is slow and wanting to sell me spyware removal software. There has also been one from PartyPoker.com.

 

3) The computer is running very slowly, especially Internet Explorer.

 

4) I have an error message that appears when I try to click on a link in several of my often used web sites that says "no such interface supported". This occurs when there is a JavaScript command that is meant to pop a new window. The new window never appears. Solutions on the Microsoft site all apply to older version of IE (I am running IE6SP1), but I have tried them anyway. No luck. I don't know if this problem is related to hijacking or any other malicious software, but I'm hoping it is fixed along with everything else.

 

And ... just to make things interesting ... this computer has been without antivirus, anti-adware or anti-spyware for a very long time.

 

Thanks for the help! -- Kimberly

 

The Hijack log (after all scans and after rebooting) is as follows:

 

[see newer scan below]

Edited by kchowning

Share this post


Link to post
Share on other sites

I re-ran AdAware and removed some additional files. Also, cleaned up the %TEMP% directory. I rebooted, and am attaching the latest HJT log here. I think that the two processes (Pjc0fGV and Vdz3iRh) are renaming themselves randomly. I should also mention that I am running the latest virus files for NAV, but it is NAV 2002 (not so good at rooting out this kind of stuff).

 

Logfile of HijackThis v1.98.0

Scan saved at 8:23:30 PM, on 7/28/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\program files\support.com\bin\tgcmd.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

C:\HP\KBD\KBD.EXE

C:\WINDOWS\System32\igfxtray.exe

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

C:\WINDOWS\System32\hkcmd.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

C:\Program Files\BroadJump\Client Foundation\CFD.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Palm\HOTSYNC.EXE

C:\Program Files\SBC\Connection Manager\CManager.exe

C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe

C:\WINDOWS\System32\Pjc0FGV.exe

C:\WINDOWS\System32\Vdz3iRh.exe

C:\hjt\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O2 - BHO: (no name) - {8403CB53-12B3-4537-9DEC-4F12F70A883D} - C:\WINDOWS\anti-pp.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe

O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe

O4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe

O4 - HKLM\..\Run: [488IoaFp.exe] C:\documents and settings\owner\local settings\temp\488IoaFp.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [MvlFhGaO.exe] C:\documents and settings\owner\local settings\temp\MvlFhGaO.exe

O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe

O4 - HKLM\..\Run: [4R@5ND55MH6LMG] C:\WINDOWS\System32\Hflf4N.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe

O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll

O9 - Extra button: Microsoft® VBScript® Console - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - (no file)

O9 - Extra 'Tools' menuitem: VBScript Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra button: Microsoft® VBScript® Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O9 - Extra 'Tools' menuitem: VBScript Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsc...72/mcinsctl.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab

Share this post


Link to post
Share on other sites

I fixed it!!!

 

There had been earlier problems with a variety of adware, spyware and viruses that the various utilities recommended on this site took care of. However, even after cleaning everything up, ZoneAlarm was still reporting attempts by KERN32 (an invalid program) to access the Internet. Also, there were two processes running in Task Manager with cryptic names. None of those names appeared anywhere in Google searching.

 

When I stopped either of those processes, a new one would restart within seconds to replace it. These processes cycled through seven or eight random-appearing file names. Each time a new one started, ZoneAlarm reported KERN32 attempting to access the Internet.

 

A line in the HJT log below remained even after removing the other issues:

O4 - HKLM\..\Run: [4R@5ND55MH6LMG] C:\WINDOWS\System32\Hflf4N.exe

 

When I tried to have HJT fix that error, even in safe mode, it too would be replaced by a slightly different key and file name within seconds.

 

A lot of internet searching lead me to a trojan called Peper Trojan (Kephyr, Computer Links, and Sophos). The symptoms matched fairly closely, in that I had pseudo-random file names, the 14-character registry value and so on. However, none of the file names matched their lists. Because I didn't have an exact match, I didn't use any of the utilities or explicit instructions found on those sites.

 

I made sure that Hidden and System files were being shown and looked for my file names in the Windows/System32 folder. There were four or five listed, all with the same size. I changed the extension on each of them (for future reporting to Symantec) only to watch more appear. I was finally able to rename all files and stop the two currently running services within a short enough time frame to not allow new files to be created. There were three files with a size of 448,775 bytes. These were the three that the registry cycled through. There were twelve files with a size of 233,495 bytes that the task manager was cycling through. There would have been far more if I hadn't beat it to the finish, so to speak.

 

Once all files were renamed and the services were stopped, I rebooted the computer and have no trace of either the mystery services or unauthorized Internet access.

 

Apparently, the version of this trojan described in the links above is bundled with MemoryWatcher. I don't know if I have a new version or not. But, it wouldn't surprise me at all if my employer didn't think that something helpful like MemoryWatcher would help resolve the other issues that were brought on by the multiple other infections that had appeared in the past couple of weeks.

 

BTW, resolving all of this did cure the original issue with the JavaScript not opening pop-up windows successfully.

 

-- Kimberly

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0