Jump to content


pop-ups, general slowness, unknown programs

  • Please log in to reply
4 replies to this topic

#1 kchowning



  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 06:11 PM

Fixed the problem ... see the last post for details.

I have been through scans using the most up-to-date AdAware and SpyBot. I have also completed a full system scan with the latest files from Norton AntiVirus. While they have eliminated several problems, I continue to have issues with the computer.

1) ZoneAlarm reports that 488Ioafp.exe and MvIFhGaO.exe are trying to access the Internet. I cannot find anything to identify these programs and suspect that they are not useful.

2) A variety of pop-ups appear ... the most often repeated is an "image" of a Windows error message asking if my computer is slow and wanting to sell me spyware removal software. There has also been one from PartyPoker.com.

3) The computer is running very slowly, especially Internet Explorer.

4) I have an error message that appears when I try to click on a link in several of my often used web sites that says "no such interface supported". This occurs when there is a JavaScript command that is meant to pop a new window. The new window never appears. Solutions on the Microsoft site all apply to older version of IE (I am running IE6SP1), but I have tried them anyway. No luck. I don't know if this problem is related to hijacking or any other malicious software, but I'm hoping it is fixed along with everything else.

And ... just to make things interesting ... this computer has been without antivirus, anti-adware or anti-spyware for a very long time.

Thanks for the help! -- Kimberly

The Hijack log (after all scans and after rebooting) is as follows:

[see newer scan below]

Edited by kchowning, 30 July 2004 - 05:15 PM.

#2 kchowning



  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 06:45 PM

Other popups include "Top Searches on the Web" and an advertisement for Disney screensavers

-- Kimberly

#3 kchowning



  • Full Member
  • Pip
  • 5 posts

Posted 28 July 2004 - 08:27 PM

I re-ran AdAware and removed some additional files. Also, cleaned up the %TEMP% directory. I rebooted, and am attaching the latest HJT log here. I think that the two processes (Pjc0fGV and Vdz3iRh) are renaming themselves randomly. I should also mention that I am running the latest virus files for NAV, but it is NAV 2002 (not so good at rooting out this kind of stuff).

Logfile of HijackThis v1.98.0
Scan saved at 8:23:30 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SBC\Connection Manager\CManager.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msnbc.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: (no name) - {8403CB53-12B3-4537-9DEC-4F12F70A883D} - C:\WINDOWS\anti-pp.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [488IoaFp.exe] C:\documents and settings\owner\local settings\temp\488IoaFp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [MvlFhGaO.exe] C:\documents and settings\owner\local settings\temp\MvlFhGaO.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-him.exe
O4 - HKLM\..\Run: [4R@5ND55MH6LMG] C:\WINDOWS\System32\Hflf4N.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Connection Manager.lnk = C:\Program Files\SBC\Connection Manager\CManager.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\ms.exe
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Microsoft® VBScript® Console - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - (no file)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft® VBScript® Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O9 - Extra 'Tools' menuitem: VBScript Terminal - {D8D7CBBC-82A4-4097-B414-9B929F88944A} - C:\WINDOWS\system32\comdlg32.ocx (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.co...72/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.co...,16/mcgdmgr.cab

#4 kchowning



  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 12:15 PM


#5 kchowning



  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 02:59 PM

I fixed it!!!

There had been earlier problems with a variety of adware, spyware and viruses that the various utilities recommended on this site took care of. However, even after cleaning everything up, ZoneAlarm was still reporting attempts by KERN32 (an invalid program) to access the Internet. Also, there were two processes running in Task Manager with cryptic names. None of those names appeared anywhere in Google searching.

When I stopped either of those processes, a new one would restart within seconds to replace it. These processes cycled through seven or eight random-appearing file names. Each time a new one started, ZoneAlarm reported KERN32 attempting to access the Internet.

A line in the HJT log below remained even after removing the other issues:
O4 - HKLM\..\Run: [4R@5ND55MH6LMG] C:\WINDOWS\System32\Hflf4N.exe

When I tried to have HJT fix that error, even in safe mode, it too would be replaced by a slightly different key and file name within seconds.

A lot of internet searching lead me to a trojan called Peper Trojan (Kephyr, Computer Links, and Sophos). The symptoms matched fairly closely, in that I had pseudo-random file names, the 14-character registry value and so on. However, none of the file names matched their lists. Because I didn't have an exact match, I didn't use any of the utilities or explicit instructions found on those sites.

I made sure that Hidden and System files were being shown and looked for my file names in the Windows/System32 folder. There were four or five listed, all with the same size. I changed the extension on each of them (for future reporting to Symantec) only to watch more appear. I was finally able to rename all files and stop the two currently running services within a short enough time frame to not allow new files to be created. There were three files with a size of 448,775 bytes. These were the three that the registry cycled through. There were twelve files with a size of 233,495 bytes that the task manager was cycling through. There would have been far more if I hadn't beat it to the finish, so to speak.

Once all files were renamed and the services were stopped, I rebooted the computer and have no trace of either the mystery services or unauthorized Internet access.

Apparently, the version of this trojan described in the links above is bundled with MemoryWatcher. I don't know if I have a new version or not. But, it wouldn't surprise me at all if my employer didn't think that something helpful like MemoryWatcher would help resolve the other issues that were brought on by the multiple other infections that had appeared in the past couple of weeks.

BTW, resolving all of this did cure the original issue with the JavaScript not opening pop-up windows successfully.

-- Kimberly

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of

Support SpywareInfo Forum - click the button
PayPal - The safer, easier way to pay online!