mswinn16.exe

[kaybu]

Do anyone know what this file is - mswinn16.exe. It shows
up as being infected with W32.Spybot.Worm when i scan
using Norton Anti-virus. It's location is apparantly
c:\windows\system32, but when i look there it doesn't
show up (despite having Show all folders and files
ticked).

 

[Wesley Vogel]

If you can read German or what looks like Polish.
http://www.google.com/search?hl=en&ie=UTF-8&q=mswinn16.exe&btnG=Google+Search

 

[Guest]

Unfortunately my knowledge of German goes as far as
asking the directions to the train station!
I'd done a similar search with google, similar results
with yahoo too - thanks anyway

 

[Wesley Vogel]

Unterhalt, der Spaß hat!

 

[Martin Hudec]

Hi all,
I will try shortly (won't be easy):
10 days ago I identified this process as susspicious in my PC, due to this
reasons:
- not known process mswinn16.exe (no info on internet at all about such
file)
- runs from HKLM/Run, if deleted from registry, recreates it
- if deleted from 'system32', recreates itself (possibly another file does
it, but I am not able to identify which one)
- recreates itself + registry entry even I have turned off 'System Restore'
on my WinXP and killed the process before
- Kerio PF detects its request for TCP comunication (both in/out), if
allowed, network communication program detects almost permanent activity
to/from internet
- currently no antivirus SW detects it as virus (I've tryied already several
with the latest definitions)
I sent these symptoms with file (end of last week) to symantec, f-prot,
eset, alvil and to one person (avir specialist).
Symantec, f-prot, eset and the person have confirmed, that it is virus (new
version of Spybot or Rbot). ALL wrote to me, that "new update of our SW will
recognize it" - by another words, it was not known before my submission.
NAV from symantec is already detecting this file/process as virus (I have no
info about other SWs) and it detects it as Spybot, which is known (according
their web pages) from April (it looks as not 100% fair game from symantec,
but its another topic...).

I was looking for info about mswinn16 on google (as you).
At 1st there was nothing, after a few days only one polish forum - I am
Slovak, and I roughly understand Polish - they were just asking, what it
is - I sent the info to forum admin, so they put there one sentence for the
people, that mswinn16 is virus. After another few days also german forum was
found in google. But again, people were just asking, what it is, no answer.
I do not want to join (register) there and I found no other way, how to
inform people there about mswinn16...

If you cannot find the file, which was detected by NAV, it's because NAV has
deleted it and moved to quarantine (by default). So it is good for you.
Another scan should not find it again.
For other people - update your antivir SW and try to clean it usual way.
Hopefully also others SW companies will update their virus definitions in a
short time (if not done already).

And the last advice - if you have this virus, it measn (according
description of Spybot), that you have probably not patched your OS by the
latest patches. It's not very good. The time of viruses in email attachments
ends up (it needs users stupidity). But current viruses can infect your PC
just by connecting it to net and sit'n'wait.

Martin
------------

 

[Martin Hudec]

additional info:

The file has all attributes on (archive-system-read only-hidden), so it is
possible, that you (by default) cannot see it.
If you have it still in your PC and NAV cannot clean it (as you have
described in 'ms'.'pub'.'wxp'.general), than:
- follow advices from others in newsgroup ....general
or
- try to look at task manager - if you see mswinn16.exe between running
processes, end this process before scanning with NAV...

(BTW - check in root of C:\ if there is not present some other .exe file,
which has no sense to be there...)

M
---------

 

[Wesley Vogel]

Martin,

Thank you for the info! Very informative.

 

[monologist]

in the registry, i've got
mswinn16.exe in 'run',
and
scvhost.exe in 'runservice'
which pretends to be a system file
(i'm not sure if you have this as well).

as Martin Hudec described,
also some other .exe files were found in dir c://,
they are removable.
but though i deleted mswinn16.exe from system directory and th
registry,
it seems to be recreated everytime when windows restarts.

however, iparmor solved my prb,
here is a link:
http://www.luosoft.com/index2.htm

prefer to remove it manually,
but i just can't find any info about it at the moment :


-
monologis