What's msiwin84.exe, and how can I get rid of it?
April 27, 2004 3:20 PM Subscribe
What the hell is msiwin84.exe? Somehow this has been installed on my computer in c:\windows\system. Zonealarm warned me that it was trying to access the internet and act as a server. And then about 300 identically sized exe files (136 KB each) with random filenames showed up in c:\. Symantec virus scan didn't pick anything up, and google comes up empty for variations of the filename. I deleted questionable files with today's date stamp, and rebooted - am I okay now?
Try taking the exact size of the files and plugging it into google.
posted by smackfu at 6:48 PM on April 27, 2004
posted by smackfu at 6:48 PM on April 27, 2004
odd that symantec virus scan didnt pick anything up if definitions are updated, but the 300 exe files definitely sounds like a worm of some sort.
posted by juv3nal at 6:56 PM on April 27, 2004
posted by juv3nal at 6:56 PM on April 27, 2004
Response by poster: The ZoneAlarm logs point to "malalala.bin-laden.cc".
That's what I get for being an infidel.
posted by PrinceValium at 7:38 PM on April 27, 2004
That's what I get for being an infidel.
posted by PrinceValium at 7:38 PM on April 27, 2004
Response by poster: And my hosts file got changed to block requests to symantec.com and mcafee.com. This is getting cleverer by the minute.
posted by PrinceValium at 7:44 PM on April 27, 2004
posted by PrinceValium at 7:44 PM on April 27, 2004
Dunno about 2K & XP, but in 98, you can do a start -> run -> msconfig, and switch over to the startup tab to see what gets loaded when you boot up. Any programs you don't recognize there, do a google on.
posted by trondant at 8:13 PM on April 27, 2004
posted by trondant at 8:13 PM on April 27, 2004
PV, I had a client whose computers were hit by a worm that installed the SCVHOST trojan (in Task Manager, you're supposed to confuse it with the legitimate SVCHOST process). This sounds like a variant of that. Look up agobot removal techniques, as you may have to boil your own.
In the case cited, the hosts file was similarly borked, and the trojan was smart enough to automatically shut down both Norton and McAfee anti-virus, Trend Micro's Housecall site, as well as most Windows system tools, the command prompt, and even Notepad and EDIT. (The windows would appear, then the Trojan would close them, often before you could type or click.) I had to boot XP into safe mode, delete the offending files and registry entries, and more. The only way I was able to identify the culprit in the first place was by running an obscure anti-virus I found that only came in Finnish (but had useful graphical help).
That was one frabjous day.
(When I realized what was going on, I mouthed the line from Jurassic Park -- "Clever girl ...")
But the advice above was good -- the AV industry was slow to react to the spyware problem, for various reasons, though the top names are embracing it at last. There's just so much out there that's malware but not destructive that the AV companies probably won't be able to keep up with it and maintain their core competency.
posted by dhartung at 9:55 PM on April 27, 2004
In the case cited, the hosts file was similarly borked, and the trojan was smart enough to automatically shut down both Norton and McAfee anti-virus, Trend Micro's Housecall site, as well as most Windows system tools, the command prompt, and even Notepad and EDIT. (The windows would appear, then the Trojan would close them, often before you could type or click.) I had to boot XP into safe mode, delete the offending files and registry entries, and more. The only way I was able to identify the culprit in the first place was by running an obscure anti-virus I found that only came in Finnish (but had useful graphical help).
That was one frabjous day.
(When I realized what was going on, I mouthed the line from Jurassic Park -- "Clever girl ...")
But the advice above was good -- the AV industry was slow to react to the spyware problem, for various reasons, though the top names are embracing it at last. There's just so much out there that's malware but not destructive that the AV companies probably won't be able to keep up with it and maintain their core competency.
posted by dhartung at 9:55 PM on April 27, 2004
MSCONFIG works like a charm for windows XP, but you need to download the program from w2k as it ship out this the OS (just google "msconfig windows 2000" and you'll find something)
posted by jmd82 at 10:11 PM on April 27, 2004
posted by jmd82 at 10:11 PM on April 27, 2004
Response by poster: Thanks everyone. I think I'm back to normal, though it's odd that Adaware, Spybot, and Norton scan found nothing. I routinely tell Zonealarm to block requests to svchost.
This was a really smart worm - it tried its best, though wasn't totally successful, to block using norton. I couldn't imagine what kind of stuff would happen to a non-savvy internet explorer user.
msconfig is an absolute lifesaver.
posted by PrinceValium at 8:52 AM on April 28, 2004
This was a really smart worm - it tried its best, though wasn't totally successful, to block using norton. I couldn't imagine what kind of stuff would happen to a non-savvy internet explorer user.
msconfig is an absolute lifesaver.
posted by PrinceValium at 8:52 AM on April 28, 2004
One clever thing they do is change the association for exe files to be the trojan. So it can disable things like regedit and msconfig just by not running them. With one of these beasties, the only way to disable it was to rename your regedit.exe to regedit.com. Fun.
posted by smackfu at 10:00 AM on April 28, 2004
posted by smackfu at 10:00 AM on April 28, 2004
This thread is closed to new comments.
posted by Zonker at 3:26 PM on April 27, 2004