msiexece16.exe a Virus?

[taff]

A look at task manager - processes shows msiexece16.exe PID 1300 CPU
(between 95 -98) Memory 5996k. This process is using almost all of
the cpu cycles. If I end the process the speed is back to normal and
there does not appear to be any ill effects. I could find nothing
about this exe thru a google search. I can't find a registry enty to
disable it's load up at start time. Help re what this process is and
does and best way to (if possible) permanently eliminate it. Thanks
in advance.

Yes this is indeed a new Trojan. It was found about 5 days ago.
http://sarc.com/avcenter/venc/data/backdoor.optixpro.14.html
Follow the instructions here or try Spybot from
http://www.safer-networking.org/index.php?page=mirrors

Taff...........



www.sounds-pa.com | www.thecomputerworkshop.com

 

[David H. Lipman]

Are you sure that is spelled correctly and is not really... msiexec16.exe ?

If so, Symantec calls this...

Backdoor.OptixPro.14 -
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html

Please go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp) and/or Trend
(http://housecall.antivirus.com ) and perform and online scan of your platform and report
back your results.

Based upon the results, we can go on from there.

Dave



| A look at task manager - processes shows msiexece16.exe PID 1300 CPU
| (between 95 -98) Memory 5996k. This process is using almost all of
| the cpu cycles. If I end the process the speed is back to normal and
| there does not appear to be any ill effects. I could find nothing
| about this exe thru a google search. I can't find a registry enty to
| disable it's load up at start time. Help re what this process is and
| does and best way to (if possible) permanently eliminate it. Thanks
| in advance.

 

[ellell2]

A look at task manager - processes shows msiexece16.exe PID 1300 CPU
(between 95 -98) Memory 5996k. This process is using almost all of
the cpu cycles. If I end the process the speed is back to normal and
there does not appear to be any ill effects. I could find nothing
about this exe thru a google search. I can't find a registry enty to
disable it's load up at start time. Help re what this process is and
does and best way to (if possible) permanently eliminate it. Thanks
in advance.

 

[David W. Hodgins]

from McAfee's scan:

Ouch!! With bugbear running, most av software will be disabled.
See http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
for info, and a link to a removal tool. Follow the instructions carefully!

Then run a full system scan, after booting into safe mode.

Regards, Dave Hodgins

 

[ellell2]

Are you sure that is spelled correctly and is not really... msiexec16.exe ?

If so, Symantec calls this...

Backdoor.OptixPro.14 -
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html

Please go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp) and/or Trend
(http://housecall.antivirus.com ) and perform and online scan of your platform and report
back your results.

Based upon the results, we can go on from there.

Dave

from McAfee's scan:

16:57 hrs Jan 12, 2004

Files Scanned: 125415
Files Infected: 18
Information: Scanning completed!

C:\WINNT\SYSTEM32\randomiser.exe * Downloader-DH.b
C:\WINNT\SYSTEM32\_FTFM.EXE * W32/Bugbear@MM
C:\WINNT\SYSTEM32\iuiocu.dll * W32/Bugbear.b!data
C:\WINNT\SYSTEM32\lvlqgvk.dll * PWS-Hooker.dll
C:\WINNT\SYSTEM32\FTFM.EXE * W32/Bugbear@MM
C:\WINNT\xgmpiaae.exe * Downloader-DH
C:\WINNT\bbb.exe * Downloader-FM
C:\WINNT\winfavorites.exe * Downloader-FL
C:\Documents and Settings\...\Startup\csc.exe * W32/Bugbear@MM
C:\Documents and Settings\...\new[1].hta VBS/Alphx.worm
C:\Documents and Settings\...\mscache2[1].exe Downloader-DH
C:\Documents and Settings\...\randomiser[1].exe * Downloader-DH.b
C:\Documents and Settings\...\bbb[1].exe Downloader-FM
C:\...\winfavorites[1].exe Downloader-FL
C:\Documents and Settings\...\updates[1].php Downloader-DH.b
C:\...\msg1FB.tmp10729459656662.exe Downloader-DH.b
C:\Documents and Settings\...\Startup\__csc.exe W32/ * Bugbear@MM
C:\Documents and Settings\...\Startup\csc.exe W32/ * Bugbear@MM

My Symantec seems to have missed these.
Guess next step is to try McAfee

 

[taff]

Are you sure that is spelled correctly and is not really... msiexec16.exe ?

If so, Symantec calls this...

Backdoor.OptixPro.14 -
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html

Please go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp) and/or Trend
(http://housecall.antivirus.com ) and perform and online scan of your platform and report
back your results.

Based upon the results, we can go on from there.

Dave



| A look at task manager - processes shows msiexece16.exe PID 1300 CPU
| (between 95 -98) Memory 5996k. This process is using almost all of
| the cpu cycles. If I end the process the speed is back to normal and
| there does not appear to be any ill effects. I could find nothing
| about this exe thru a google search. I can't find a registry enty to
| disable it's load up at start time. Help re what this process is and
| does and best way to (if possible) permanently eliminate it. Thanks
| in advance.

Results of the McAfee Scan:
Files Scanned: 125415
Files Infected: 18
Information: Scanning completed!

C:\WINNT\SYSTEM32\randomiser.exe * Downloader-DH.b
C:\WINNT\SYSTEM32\_FTFM.EXE * W32/Bugbear@MM
C:\WINNT\SYSTEM32\iuiocu.dll * W32/Bugbear.b!data
C:\WINNT\SYSTEM32\lvlqgvk.dll * PWS-Hooker.dll
C:\WINNT\SYSTEM32\FTFM.EXE * W32/Bugbear@MM
C:\WINNT\xgmpiaae.exe * Downloader-DH
C:\WINNT\bbb.exe * Downloader-FM
C:\WINNT\winfavorites.exe * Downloader-FL
C:\Documents and Settings\...\Startup\csc.exe * W32/Bugbear@MM
C:\Documents and Settings\...\new[1].hta VBS/Alphx.worm http://vil.nai.com/vil/content/v_100850.htm
C:\Documents and Settings\...\mscache2[1].exe Downloader-DH http://vil.nai.com/vil/content/v_100522.htm
C:\Documents and Settings\...\randomiser[1].exe * Downloader-DH.b
C:\Documents and Settings\...\bbb[1].exe Downloader-FM
C:\...\winfavorites[1].exe Downloader-FL http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINFAVS.A
C:\Documents and Settings\...\updates[1].php Downloader-DH.b http://www.hardwareanalysis.com/content/topic/18641/
C:\...\msg1FB.tmp10729459656662.exe Downloader-DH.b
C:\Documents and Settings\...\Startup\__csc.exe W32/ * Bugbear@MM
C:\Documents and Settings\...\Startup\csc.exe W32/ * Bugbear@MM

Erased all those above which are asterisked - the others I sould not
find and "SEARCH" reported NOT FOUND.
Went to Symantec's page for OptixPro14 and made the registry fixes
from regedit run as a COM file from Start|Run|"command". Rebooted
then ran Trend's Scan

Results from the Trend Scan:
TROJ SMALL.CW Non Cleanable C:\DOCUMENTS AND SETTINGS...
TROJ GOLID.A Non Cleanable C:\WINNT\SYSTEM32\sgvgskbi.dll
TROJ SMALL.CW Non Cleanable C:\WINNT\SYSTEM32\py.exe
BKDR AGENT.A Non Cleanable C:\WINNT\SYSTEM32\dsnmjpy...
TROJ MSCACHE.A Non Cleanable C:\WINNT\Downloaded Program...
TROJ MSCACHE.A Non Cleanable C:\WINNT\spwnwbk.dll
TROJ MLFREE.A Non Cleanable C:\WINNT\ccc.exe

a look at the task manager showed that "msiexec16.exe" was running
again.

what happened?!?

Links to removal sites added.
Also the trojans can be removed by Adaware
http://www.lavasoft.de/support/download/
or Spybot
http://www.safer-networking.org/index.php?page=mirrors

Taff...............



www.sounds-pa.com | www.thecomputerworkshop.com

 

[ellell2]

Are you sure that is spelled correctly and is not really... msiexec16.exe ?

If so, Symantec calls this...

Backdoor.OptixPro.14 -
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.optixpro.14.html

Please go to McAfee (http://www.mcafee.com/myapps/mfs/default.asp) and/or Trend
(http://housecall.antivirus.com ) and perform and online scan of your platform and report
back your results.

Based upon the results, we can go on from there.

Dave



| A look at task manager - processes shows msiexece16.exe PID 1300 CPU
| (between 95 -98) Memory 5996k. This process is using almost all of
| the cpu cycles. If I end the process the speed is back to normal and
| there does not appear to be any ill effects. I could find nothing
| about this exe thru a google search. I can't find a registry enty to
| disable it's load up at start time. Help re what this process is and
| does and best way to (if possible) permanently eliminate it. Thanks
| in advance.

Results of the McAfee Scan:
Files Scanned: 125415
Files Infected: 18
Information: Scanning completed!

C:\WINNT\SYSTEM32\randomiser.exe * Downloader-DH.b
C:\WINNT\SYSTEM32\_FTFM.EXE * W32/Bugbear@MM
C:\WINNT\SYSTEM32\iuiocu.dll * W32/Bugbear.b!data
C:\WINNT\SYSTEM32\lvlqgvk.dll * PWS-Hooker.dll
C:\WINNT\SYSTEM32\FTFM.EXE * W32/Bugbear@MM
C:\WINNT\xgmpiaae.exe * Downloader-DH
C:\WINNT\bbb.exe * Downloader-FM
C:\WINNT\winfavorites.exe * Downloader-FL
C:\Documents and Settings\...\Startup\csc.exe * W32/Bugbear@MM
C:\Documents and Settings\...\new[1].hta VBS/Alphx.worm
C:\Documents and Settings\...\mscache2[1].exe Downloader-DH
C:\Documents and Settings\...\randomiser[1].exe * Downloader-DH.b
C:\Documents and Settings\...\bbb[1].exe Downloader-FM
C:\...\winfavorites[1].exe Downloader-FL
C:\Documents and Settings\...\updates[1].php Downloader-DH.b
C:\...\msg1FB.tmp10729459656662.exe Downloader-DH.b
C:\Documents and Settings\...\Startup\__csc.exe W32/ * Bugbear@MM
C:\Documents and Settings\...\Startup\csc.exe W32/ * Bugbear@MM

Erased all those above which are asterisked - the others I sould not
find and "SEARCH" reported NOT FOUND.
Went to Symantec's page for OptixPro14 and made the registry fixes
from regedit run as a COM file from Start|Run|"command". Rebooted
then ran Trend's Scan

Results from the Trend Scan:
TROJ SMALL.CW Non Cleanable C:\DOCUMENTS AND SETTINGS...
TROJ GOLID.A Non Cleanable C:\WINNT\SYSTEM32\sgvgskbi.dll
TROJ SMALL.CW Non Cleanable C:\WINNT\SYSTEM32\py.exe
BKDR AGENT.A Non Cleanable C:\WINNT\SYSTEM32\dsnmjpy...
TROJ MSCACHE.A Non Cleanable C:\WINNT\Downloaded Program...
TROJ MSCACHE.A Non Cleanable C:\WINNT\spwnwbk.dll
TROJ MLFREE.A Non Cleanable C:\WINNT\ccc.exe

a look at the task manager showed that "msiexec16.exe" was running
again.

what happened?!?