Unknown program - help required

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by FAR451, Feb 23, 2007.

  1. FAR451

    FAR451 Private E-2

    Sirs,

    I use Windows XP. When I shut the system down
    a box appears telling me that the program
    'kFKXBQ784VvnJFCDYGuMew24+de' is not responding
    and do I want to close it now.
    I have no idea what this is referring to. The program
    does not appear on the list of programmes loaded and
    Norton System Works doesn't pick it up as a problem
    or virus. Neither does AOL spyware.
    Is this a virus or spyware problem and what can I
    do to either identify what it is or eliminate it
    from my system?

    I sent this query to pcreview, who suggested I send a report
    re HiJackThis to you.

    I have followed the instructions detailed on this site (and as I
    am not an expert also purchased SpyOnThis to try to rectify the
    problem.......this threw up a whole lot of stuff).

    In safeboot mode I ran Ccleaner (it only identified SpyonThis
    and MicrosoftSecurityCentre firewall and antivirus disabled as
    problems - as I'm running Norton the above MS stuff is supposed
    to be off as far as I understand it).
    I ran Spybot - nothing found
    I ran Counterspy - nothing found
    I was unable to connect to the net whilst in safe mode so
    haven't run bitdefender or panda.

    I have the logs for HiJackThis, GetRunKey and ShowNew,
    which I have attached.

    This problem still persists and I am very concerned that the
    unknown program is a major problem re secruity.

    Any help you can give will be very gratefully received.
    Thanks in advance for your assistance.

    Regards
    FAR451
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    SpyOnThis 2.0 is a roque spyware program. Uninstall it!!

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    O4 - HKCU\..\Run: [SpyOnThisMonitor] "C:\Program Files\SpyOnThis v2.0\SpyOnThis.exe"

    After clicking Fix, exit HJT.

    Now attach new logs for:

    * GetRunKey
    * ShowNew
    * HJT
     
  3. FAR451

    FAR451 Private E-2

    TimW,

    Thank you for taking the time to reply. Much appreciated. In order, this is what I've done.
    1. I removed SpyonThis from the programs file. I then re-started the computer, but the SpyonThis returned. (How worried should I be that I downloaded this in the first place?).
    2. I pasted the text you sent to notepad and allowed it to merge with the registry.
    3. I ran HijackThis. There was no entry for O4 - HKCU\..\Run: [SpyOnThisMonitor] "C:\Program Files\SpyOnThis v2.0\SpyOnThis.exe" so I couldn't fix it.
    There was a suspicious entry that relates to a supposed problem I had according to SpyonThis.......one of the things it purorted to find was a program called PC Police 2, which was placed at c:\windows\prefetch\MSMSGS.EXE.2B6052DE.pf.
    I noted on the HijackThis log an entry for O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"/background. I

    Not sure if this is a problem in itself.

    4. I've tried to delete an icon for SpyonThis. When I try to delete it I get a meesage box stating 'cannot delete SpyonThis: Access denied'.
    I'm annoyed that I downloaded it in the first place!

    5. Please find attached logs as requested.

    I'm grateful to you for you help on this. Cheers..


    FAR451
     

    Attached Files:

  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Download and Install RogueRemover Free http://www.majorgeeks.com/RogueRemover_d5360.html

    Run RogueRemover and select Scan and the program will walk you through the remaining steps.

    Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Tell me how things are running.
     
  5. FAR451

    FAR451 Private E-2

    TimW,

    Thanks greatly to you for your help. I've followed your advice and so far all seems to be ok. I've also removed SpyonThis and have followed it up with a demand for a refund. Damn those rogue programs.

    Thanks again.

    Regards

    FAR451
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:

    1. If we used Pocket Killbox during your cleanup, do the below
    * Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    8. If you are running Windows XP or Windows ME, do the below:
    * go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    * Then reboot and Enable System Restore to create a new clean Restore Point.
    9. After doing the above, you should work thru the below link:
    * How to Protect yourself from malware!
     
  7. FAR451

    FAR451 Private E-2

    TimW,

    Thanks again. I've followed the instructions and the only thing that may be a problem is MSMSGS.EXE-2B6052DE.pf. I've tried to delete this but it just keeps re-appearing, and it comes back almost instantly. It also returned following the re-boot.

    Is this a problem or can I ignore this? (Googling gives references but they aren't conclusive).

    Other than that all seems well with the system.

    I am VERY appreciative of you're help once again.

    Regards

    FAR451
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Windows Messenger is a program that has many vulnerabilities...
    Also Kill the messenger

    That should take care of it.
     
  9. FAR451

    FAR451 Private E-2

    TimW,

    Again, many thanks for your advice and time.

    I followed your instructions but MSMSGS.EXE-2B6052DE.pf still
    appears in the C:\WINDOWS\prefetch file. It was still there
    after I'd run the uninstall and rebooted. Any suggestions?

    Also, is EXPLORER.EXE-082F38A9.pf a problem? I've googled it but can't find a definitive answer on this one.

    Many thanks in advance.

    FAR451
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Go to start / run / and type "prefetch" without quotes....it will give you a window with all the items in that folder. Select them all (Control + A) then delete them.

    Then run CCleaner (both the cleaner and the issues - make the backup when prompted).

    Tell me how things are running.
     
  11. FAR451

    FAR451 Private E-2

    TimW,

    Your advice has been spot on. Thanks. All seems to be working very well now, apart from EXPLORER.EXE-082F38A9.pf, which still appears in c:\windows. Is this a problem or just part of the system that should be there?

    Thanks again for your considered advice and time. Brilliant and well received.

    FAR451
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you unable to manually delete that file? It is possibly a remnant of our fixes.
    Let me know.
     
  13. FAR451

    FAR451 Private E-2

    TimW,

    I have tried to remove EXPLORER.EXE-082F38A9.pf manually. Did delete and also emptied the recycle bin, but on re-boot it re-appears. Also, I tried to open it and then delete the contents but without success.

    Any suggestions?

    Thanks again for your great advice and time.

    FAR451
     
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    One of the more difficult to get rid of, unfortunately.
    Download and run CWShredder

    You may have to run it twice.
    Let me know.
     
  15. FAR451

    FAR451 Private E-2

    TimW,

    Thanks again for your time and help.

    Unfortunately EXPLORER.EXE-082F38A9.pf keeps re-appearing, again after manually deleting. The wierd thing that also happened is that the program
    'kFKXBQ784VvnJFCDYGuMew24+de' is not responding box came back when I closed the system down. It doesn't always appear but this is now causing me to think that someone has it in for my system!

    I don't know how helpful the following is but when I look in CCleaner - Tools there are several programs listed that don't appear in add/remove programs. These are GdiplusUpgrade, Internet Worm Protection, MSRedist, NSW_DRM_Collection, Symnet and SPBBC. I think one or two of these may relate to Norton, which is the security software I use.

    Please let me know your thoughts on this latest twist. I'm very grateful to you for this.

    Regards

    FAR451
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Explorer.exe is your Windows System Shell and is a valid process and you should see it in the Prefetch folder. You should not and do not need to delete it.
     
  17. FAR451

    FAR451 Private E-2

    chaslang,

    Thanks for that. I'll leave it alone.

    Any thoughts on the other stuff that I mentioned? Thanks in advance for your time and advice.

    FAR451
     
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What other stuff? I saw no outstanding issues?
     
  19. FAR451

    FAR451 Private E-2

    chaslang,

    Sorry, the outstanding is also the original problem. When I shut the system down a box appears telling me that the program
    'kFKXBQ784VvnJFCDYGuMew24+de' is not responding and do I want to close it now.
    This appears every now and then on shut down, even after all the work we've done on the system. Is this merely an echo or is there likely to still be a problem?

    As it is the computer is working well with no obvious slow down or problem.

    Thanks again for your time and expertise.

    FAR451
     
  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I doubt it has anything to do with malware. It is more than likely related to some application you have running.

    Does it happen in safe mode? You will obviously have to try rebooting in safe mode whatever number of times is necessary to indicate to you that it either does or does not happen.

    If it does not happen in safe mode, I suggest you use MSconfig for its intended debug purpose and disable various processes and services from loading at start up until you locate the problem. Note however it may also not be related to a startup process, it could be due to something else you periodically run/use on your PC and after it has been used and then you may get the shutdown error.
     
  21. FAR451

    FAR451 Private E-2

    chaslang,

    Thank you very much for your time and advice, I'm very grateful.

    FAR451
     
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Did you did find which application was responsible for the message?
     
  23. FAR451

    FAR451 Private E-2

    chaslang,

    I didn't track the application down. With my very limited ability with computers I couldn't find anything with MSconfig that was the obvious culprit. Also, as far as I can tell there is nothing I use on the computer that relates to the probelm first described. As I mentioned there doesn't seem to be anything obviously wrong with the system so I'm hoping it's just one of those odd things that happens with a computer.

    If there is anything else you think I should do please let me know.

    Many thanks to you and TimW for your time and efforts. Excellent advice.

    FAR451
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You cannot tell by simply looking. You would have to disable various processes and services from loading at started and then reboot. And then see what happens. By process of elimination (enabling and disabling various items) you may be able to locate the related process.

    Anyway this is really not malware.
     
  25. FAR451

    FAR451 Private E-2

    chaslang,

    After all this effort I think the original problem relates to AOL spyware protection!! The full reference for the 'can't close down program box' is 'kFKXBQ784VvnJFCDYGuMew24+defaultcfg+eeapp-antispywareApp_2.0.12'
    and as far as I can ascertain this relates to AOL.

    I am very grateful to you and TimW for your time, patience and obvious skill.
    This site is fantastic. Thanks.

    FAR451
     
  26. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you remove any of the AOL programs? In the add/remove: AOL Uninstaller (choose which to uninstall <--probably all of them - unless you use them.)

    And use windows explorer to locate and remove:
    C:\WINDOWS\system32\AOLDial.dll

    See if the problem still exists.
     
  27. FAR451

    FAR451 Private E-2

    TimW,

    Thanks again. I removed AOL dial, but use AOL as my ISP so have left the rest alone. Computer seems fine.

    Very grateful for all your advice (and to chaslang). Hope I won't have to trouble you again in the near future.

    FAR451
     
  28. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem ...glad your running good.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds