Unknown program - help required

[FAR451]

Sirs,

I use Windows XP. When I shut the system down
a box appears telling me that the program
'kFKXBQ784VvnJFCDYGuMew24+de' is not responding
and do I want to close it now.
I have no idea what this is referring to. The program
does not appear on the list of programmes loaded and
Norton System Works doesn't pick it up as a problem
or virus. Neither does AOL spyware.
Is this a virus or spyware problem and what can I
do to either identify what it is or eliminate it
from my system?

I sent this query to pcreview, who suggested I send a report
re HiJackThis to you.

I have followed the instructions detailed on this site (and as I
am not an expert also purchased SpyOnThis to try to rectify the
problem.......this threw up a whole lot of stuff).

In safeboot mode I ran Ccleaner (it only identified SpyonThis
and MicrosoftSecurityCentre firewall and antivirus disabled as
problems - as I'm running Norton the above MS stuff is supposed
to be off as far as I understand it).
I ran Spybot - nothing found
I ran Counterspy - nothing found
I was unable to connect to the net whilst in safe mode so
haven't run bitdefender or panda.

I have the logs for HiJackThis, GetRunKey and ShowNew,
which I have attached.

This problem still persists and I am very concerned that the
unknown program is a major problem re secruity.

Any help you can give will be very gratefully received.
Thanks in advance for your assistance.

Regards
FAR451

[TimW]

SpyOnThis 2.0 is a roque spyware program. Uninstall it!!

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpyOnThisMonitor"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKCU\..\Run: [SpyOnThisMonitor] "C:\Program Files\SpyOnThis v2.0\SpyOnThis.exe"

After clicking Fix, exit HJT.

Now attach new logs for:

* GetRunKey
* ShowNew
* HJT

[FAR451]

TimW,

Thank you for taking the time to reply. Much appreciated. In order, this is what I've done.
1. I removed SpyonThis from the programs file. I then re-started the computer, but the SpyonThis returned. (How worried should I be that I downloaded this in the first place?).
2. I pasted the text you sent to notepad and allowed it to merge with the registry.
3. I ran HijackThis. There was no entry for O4 - HKCU\..\Run: [SpyOnThisMonitor] "C:\Program Files\SpyOnThis v2.0\SpyOnThis.exe" so I couldn't fix it.
There was a suspicious entry that relates to a supposed problem I had according to SpyonThis.......one of the things it purorted to find was a program called PC Police 2, which was placed at c:\windows\prefetch\MSMSGS.EXE.2B6052DE.pf.
I noted on the HijackThis log an entry for O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"/background. I

Not sure if this is a problem in itself.

4. I've tried to delete an icon for SpyonThis. When I try to delete it I get a meesage box stating 'cannot delete SpyonThis: Access denied'.
I'm annoyed that I downloaded it in the first place!

5. Please find attached logs as requested.

I'm grateful to you for you help on this. Cheers..


FAR451

[TimW]

Download and Install RogueRemover Free http://www.majorgeeks.com/RogueRemover_d5360.html

Run RogueRemover and select Scan and the program will walk you through the remaining steps.

Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-

Tell me how things are running.

[FAR451]

TimW,

Thanks greatly to you for your help. I've followed your advice and so far all seems to be ok. I've also removed SpyonThis and have followed it up with a demand for a refund. Damn those rogue programs.

Thanks again.

Regards

FAR451

[TimW]

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
* go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

[FAR451]

TimW,

Thanks again. I've followed the instructions and the only thing that may be a problem is MSMSGS.EXE-2B6052DE.pf. I've tried to delete this but it just keeps re-appearing, and it comes back almost instantly. It also returned following the re-boot.

Is this a problem or can I ignore this? (Googling gives references but they aren't conclusive).

Other than that all seems well with the system.

I am VERY appreciative of you're help once again.

Regards

FAR451

[TimW]

Windows Messenger is a program that has many vulnerabilities...
Also Kill the messenger

That should take care of it.

[FAR451]

TimW,

Again, many thanks for your advice and time.

I followed your instructions but MSMSGS.EXE-2B6052DE.pf still
appears in the C:\WINDOWS\prefetch file. It was still there
after I'd run the uninstall and rebooted. Any suggestions?

Also, is EXPLORER.EXE-082F38A9.pf a problem? I've googled it but can't find a definitive answer on this one.

Many thanks in advance.

FAR451

[TimW]

Go to start / run / and type "prefetch" without quotes....it will give you a window with all the items in that folder. Select them all (Control + A) then delete them.

Then run CCleaner (both the cleaner and the issues - make the backup when prompted).

Tell me how things are running.

[FAR451]

TimW,

Your advice has been spot on. Thanks. All seems to be working very well now, apart from EXPLORER.EXE-082F38A9.pf, which still appears in c:\windows. Is this a problem or just part of the system that should be there?

Thanks again for your considered advice and time. Brilliant and well received.

FAR451

[TimW]

Are you unable to manually delete that file? It is possibly a remnant of our fixes.
Let me know.

[FAR451]

TimW,

I have tried to remove EXPLORER.EXE-082F38A9.pf manually. Did delete and also emptied the recycle bin, but on re-boot it re-appears. Also, I tried to open it and then delete the contents but without success.

Any suggestions?

Thanks again for your great advice and time.

FAR451

[TimW]

One of the more difficult to get rid of, unfortunately.
Download and run CWShredder

You may have to run it twice.
Let me know.

[FAR451]

TimW,

Thanks again for your time and help.

Unfortunately EXPLORER.EXE-082F38A9.pf keeps re-appearing, again after manually deleting. The wierd thing that also happened is that the program
'kFKXBQ784VvnJFCDYGuMew24+de' is not responding box came back when I closed the system down. It doesn't always appear but this is now causing me to think that someone has it in for my system!

I don't know how helpful the following is but when I look in CCleaner - Tools there are several programs listed that don't appear in add/remove programs. These are GdiplusUpgrade, Internet Worm Protection, MSRedist, NSW_DRM_Collection, Symnet and SPBBC. I think one or two of these may relate to Norton, which is the security software I use.

Please let me know your thoughts on this latest twist. I'm very grateful to you for this.

Regards

FAR451

[chaslang]

Quote:

Originally Posted by FAR451

Unfortunately EXPLORER.EXE-082F38A9.pf keeps re-appearing, again after manually deleting.

Explorer.exe is your Windows System Shell and is a valid process and you should see it in the Prefetch folder. You should not and do not need to delete it.

[FAR451]

chaslang,

Thanks for that. I'll leave it alone.

Any thoughts on the other stuff that I mentioned? Thanks in advance for your time and advice.

FAR451

[chaslang]

Quote:

Originally Posted by FAR451

Any thoughts on the other stuff that I mentioned?

What other stuff? I saw no outstanding issues?

[FAR451]

chaslang,

Sorry, the outstanding is also the original problem. When I shut the system down a box appears telling me that the program
'kFKXBQ784VvnJFCDYGuMew24+de' is not responding and do I want to close it now.
This appears every now and then on shut down, even after all the work we've done on the system. Is this merely an echo or is there likely to still be a problem?

As it is the computer is working well with no obvious slow down or problem.

Thanks again for your time and expertise.

FAR451

[chaslang]

I doubt it has anything to do with malware. It is more than likely related to some application you have running.

Does it happen in safe mode? You will obviously have to try rebooting in safe mode whatever number of times is necessary to indicate to you that it either does or does not happen.

If it does not happen in safe mode, I suggest you use MSconfig for its intended debug purpose and disable various processes and services from loading at start up until you locate the problem. Note however it may also not be related to a startup process, it could be due to something else you periodically run/use on your PC and after it has been used and then you may get the shutdown error.