DescentBB

Couldn't really think of a better title

Anywho, this is the problem. My sister has been noticing that when she uses IE (Yes, I know, she still uses it though), something else keeps stealing the focus away from it. Nothing pops-up or anything but all of a sudden the IE window becomes a background window even though nothing comes up infront of it.

I decided to run through different things to see what could potentially be causing this problem and the first thing that came to my mind was spyware or a virus. I opened her task manager up to look at the processes (WinXP Home btw) and we went through each process and came across several that I didn't recognize.

So, we did some research and google didn't return anything on the ones I was the most concerned about. I had her update Ad-Aware and run it, found some stuff but it didn't remove this problem. Had her update Spybot, ran it, found some stuff, didn't remove the problem. Updated Norton A/V and Norton turned up nothing as well.

This is where it gets interesting though. I told her to open her registry and go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
and inside there was an entry called "4M@ZD#F5KNNFGP" which of course didn't turn anything up in google. This is where the only instance of this item is found in the registry. This entry though leads to 3 executables in the Windows\System32 folder called Msyi62.exe, izi6.exe, & jifyvw.exe, not all at the same time though.

When you delete the string and reboot it replaces itself with one of these .exe files and cycles through each one if you repeat the process. It doesn't show up in HKEY_CURRENT_USER though. Same happens when you use msconfig to disable it from starting up, it creates another instance of itself and it is checked off again.

In the task manager there is gispf.exe, jze2.exe, tmot.exe, fysq8.exe & bcka1zS9.exe. Usually there is two instances of these running in her task manager at the same time in any order. If you try to end any one of the processes it starts a new process using one of the names I've listed here and it continues to cycle through these names if you repeat this process. All of these programs indicate being used in the system32 folder on her User account but like I said before, it doesn't show up as being run from the current user in the registry.

Also if you search for any one of these .exe files other then the 3 I mentioned before being used by startup in the registry it doesn't find anything. Even though I think all of this stuff is related.

Doing a search of all of her files & folders through Windows turns up nothing on any of the .exe files either.

We have no clue what this could be. It kind of acts like a virus, but again, Norton didn't find anything. I was hoping that some of you out there might have an idea as to what this could be and how to deal with it because to me this seems like it could potentially be a larger problem then just taking focus away from IE.

It definately doesn't belong there -- boot into safemode and kill the registry entry (use the tool mentioned below) then kill the suspect exe files and reboot. The SysInternals guys have some nifty free tools on their site, I usually use Autoruns to check for things that shouldn't start automatically. TcpView and Process Explorer are handy to have too..

Theres something else running hidden from Task Manager thats re-launching those executables. What you should do is boot into safe mode and make yourself a batch file to end the processes and rename the executables before it has a chance to re-launch them.

net stop Msyi62.exe
ren *dir*\Msyi62.exe *dir*\Msyi62.exe.old
net stop jze2.exe
ren *dir*\jze2.exe *dir*\jze2.exe.old
net stop gispf.exe
ren *dir*\gispf.exe *dir*\gispf.exe.old
net stop tmot.exe
ren *dir*\tmot.exe *dir*\tmot.exe.old
net stop fysq8.exe
ren *dir*\fysq8.exe *dir*\fysq8.exe.old
net stop bcka1zS9.exe
ren *dir*\bcka1zS9.exe *dir*\bcka1zS9.exe.old
net stop izi6.exe
ren *dir*\izi6.exe *dir*\izi6.exe.old
net stop jifyvw.exe
ren *dir*\jifyvw.exe *dir*\jifyvw.exe.old

where *dir* is the folder containing the executable. Then delete the offending files. (rinse and repeat until they all error out)

Or, you could download a copy of Startup.exe and kill it that way. I think you'll have better luck with the batch file in safe mode though.

Thing is those executables aren't showing up in the folder they're supposedly running from. I'm wondering if they're hidden from windows as well, I'll try it atleast.

OOOH! You caught a good one!

Your sister deserves a cookie!

Tyranny wrote:Thing is those executables aren't showing up in the folder they're supposedly running from. I'm wondering if they're hidden from windows as well, I'll try it atleast.

do you have the folder option of showing all files including hidden enabled? "Hidden" attribute files will be slightly ghosted in appearance

AceCombat wrote: do you have the folder option of showing all files including hidden enabled? "Hidden" attribute files will be slightly ghosted in appearance

No!?! really!?! I assure you Ace that I've looked all through her system with Hidden files visible and hidden system files visible and exhausted every resource I have at my disposal before I came here

okay smartass, i was just asking.

Problem fixed. Hammered the buggers in safemode in the system32 folder and registry. thx for the suggestions everyone, yeah and even you too Ace

damn, for once i get complimented..........WOOOOHOOOO BREAK OUT THE BOOZE!!!

Just for future reference Tyranny, you might want to use this in the future.

Thx MD. I'm generally well protected against spyware and virii. I try to pass on stuff to her, but she sometimes forgets to update stuff and keep everything current (recipe for disaster).

Sooo...generally I make it a point to do everything I can possibly think of before coming here.

Safemode slipped my mind for some reason, figures, lol. I appreciate the help from everyone