msgfpk.com process seems to start iexplore.exe process over and over

In the last 2 days I have noticed that the process "iexplore.exe" is always running, and when I end the process, it restarts itself. There is no visible Internet Explorer window associated with this process. I know this is not normal, so I examined the running processes a little closer. When I end the iexplore.exe process, there is about a 1 second pause, then a new process is automatically started (named "msgfpk.com) which is IMMEDIATELY replaced by the "iexplore.exe" process again. I managed to do a QUICK screen shot while the msgfpk process showed up, which is how I identified it. I went through all the steps listed in the thread titled "Basic Spyware, Trojan and Virus Removal", but none of them seemed to catch it. I'm hoping someone may know what this is. Thanks in advance and please let me know if you need more information.

I'm running XP Pro.

Many thanks!

 

Hi Yrrot,

If you have exhausted the options in the Cleanup Tutorial, then please send us a HijackThis Log.

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis
If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

--Are you noticing any symptoms? How is the computer running?

Send us a log and we'll go from there

Best,
PP

 

Hi PP,
I did happen to download the latest version of HJT today. My log file is attached. As far as symptoms, It seems that I've only had 1, possibly 2 ads that popped up inadvertantly , and seemed to be attributed to this process. (meaning, I was on website(s) that I know are safe and use regularly which do not have pop up ads, so I drew that conclusion) Other than that, no noticeable symptoms other than the extra iexplore.exe process. My cpu usage looks normal and the process only apears to use between 1 and 2 K of memory.

Thanks,
Yrrot

 

Hi Yrrot,

Your HJT (1.97.7) is way out of date. Try the link I posted.

That said, your log is clean. I assume the 016 AutoCAD entries are business related. (I haven't done any CAD since I last studied Engineering long, long ago!)
I've been known to make a mistake every now and then, but I don't see anything in your log that would be responsible for what you describe.

You might try running the items in the Alternative Scans - If still having problems section of the tutorial - namely the Online Trojan Scan and a-squared. Then, run an up-to-date HJT and attach a log and let's see if that makes any difference. Are there multiple user accounts on this computer?

PP

 

As an afterthought - You might want to download the FREE Process Explorer tool from Sysinternals and use it to search out the root of your problem. I'll link you to the page that explains how to use it.

http://www.sysinternals.com/ntw2k/freeware/procexp.shtml

I'll try to check back when I get a chance.

PP

 

Hi PP,
Thanks for the info. My goof on the HJT version. I'll download the current version and redo the log file, as well as try the process explorer. Regarding the alternative scans, I had done the online Trojan scan before posting here. I will, however, give the a-squared a try though. Yes, the Autocad is legit. I use it with my current job and sometimes just for around the house stuff. Thanks again. I'll post back in a little while.

Regards,
yrrot

 

Hi PhillyPhan,
Just a quick update on this issue. My computer appears to have some sort of variation of the "beasty" virus, using msagent somehow cause the problem to recur. I found the msgfpk.com file under my windows/msagent folder. I restarted my computer in safe mode, removed internet explorer, and then rebooted in normal mode. I then started getting an error saying "msgfpk.com has encountered a problem and needs to close." with an option to send an error report. This message pops up over and over because it can no longer find my iexplore.exe file. So, I restarted in safe mode again and deleted the msgfpk.com file located under c:\windows\msagent folder. Then I rebooted my pc in normal mode and the message still pops up. This tells me that something else is creating this msgfpk.com file, which is exploiting the iexplore.exe process. Non of my virus scans catch any viruses or trojans. This is the closest thing I could find on the Symantec site:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.g.html

Please let me know what you think. I still need to do the other scans you suggested, so I'll get back to you. I just wanted to give you an update. Thanks again!

yrrot

 

This is shaping up as a nasty little bugger! Hopefully the new scans and HJT will give us a lead.
Your problem may be beyond my limited capabilities. I should probably defer to the wisdom and expertise of Chaslang - he is much more knowledgable than I.

Hang in there

PP

 

Ok. I finally had a chance to run the A-Squared scan and it found nothing. So I have downloaded the latest version of HJT and my log file is attached. Hope this turns up something useful. Thanks again!

Yrrot

 

HI chaslang,
I uninstalled IE by using the method under ADD/REMOVE PROGRAMS. An error would occur continuously (about every 3 or 4 seconds) and pop up in the middle of anything of was doing. The error stated that msgfpk.com could not continue (because it couldn't find IEXPLORE.EXE anymore) and I could send error report or cancel. I had since re-installed Internet explorer so that the pop up error would go away (basically allowing it to be exploited for the time being). I'm not sure why the IE version isn't showing up now though. It is MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) IE appears to be working just fine.

While IE was uninstalled, I was using netscape.

The reason you see IE running in my HJT log is because that's the process that msgfpk.com keeps launching, even though there's no IE browser window, which is my problem in a nutshell. I didn't have any "open" programs when I ran the log. Please let me know if that does not answer your question. Thanks Chaslang!

Regards,
Yrrot

 

UPDATE!
Hi Chaslang and PhillyPhan....my antivirus software updated it's DAT file last this morning and now I'm getting a virus notice for this bugger. Here are the details.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Beasty.H
File: C:\WINDOWS\msagent\msgfpk.com
Location: C:\WINDOWS\msagent
Computer: TOSHIBALAPTOP
User: Mills Family
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Wed Nov 10 08:40:26 2004

I'm gonna look into it to see how to clean it. Please let me know if you have any alternate ideas. Thanks!

Torry

 

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.beasty.h.html

 

Thanks Kodo. I had already looked into this, but the process name listed on the symantec site does not match my process name. My process is called msgfpk.com, which is different than what the Symantic site points out. I'm hoping all of the steps still apply to my situation. Thanks!

yrrot

 

Hi Chaslang, PhillyPhan and Kodo,
Thanks for all your help! It appears that I had, yes HAD! , a variation of the Backdoor.Beasty.I virus. The removal instructions for version I worked for my case, although some of the virus file names were different. It doesn't appear that my variation is addressed at Symantec's site yet, so i'm posting my "unofficial" edited version of Symantec's removal instructions. It worked for cleaning my computer, and is hopefully helpful for someone else with the same problem. TXT file is attached.

Thanks to all!

 

Hey Torry,

Glad to see that you were able to get to the bottom of this little mystery!

PP