Is MSWin.exe some form of malware?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I'm using msconfig to remove all the startup items I can from my son's PC and
found an entry for MSWin.exe that we don't have on our other computers. The
path name is C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\MSWin.exe

A google search found many references to this file and all of them I checked
indicated the file is some form of malware--but I'd like to get some feedback
from this forum. Does anyone know if this is in fact a file I should remove
from startup? Maybe even get rid of entirely?
 
A Google search had many references...and all of them you checked
indicated it's malware...but you're still not sure...

Msconfig won't remove malware. For that you need antivirus and
anti-spyware software with updated malware definitions.
 
Hi, msconfig is not intended as a startup manager. You really shouldn't be
removing programs from there. There are tools, many free, you can use which
are startup managers. msconfig is intended as a troubleshooting device, and
as such all entried should stay there until removed by a normal startup
manger. I suggest you stop removing programs and go to
http://www.cnet.com/downloads and look for startup manager utilities there.
You can select from sections or put in a search query in the upper right hand
search box. I use a nifty little program called CCleaner, and it is a startup
manager, software removal manger, disk cleanup manager, cookie manager,
registry cleaner manager, etc, it a very small easy to use tool with a great
registry back up right into the My Documents folder or anywhere else you
choose. I have been using it for a year now with great results. Just consider
using msconfig as intended to avoid unintended consequences.
 
Yes, I understand msconfig doesn't remove malware--in fact it doesn't remove
anything on it's own--it just provides an interface for making manual changes
to a PC's configuration, including which items will run at startup. What I
was trying to say is I haven't yet used msconfig to remove MSWin.exe
manually--I'm hoping to get some feedback about it on this forum to see if
people here agree that it is in fact some form of malware. I ran NAV and
SpySweeper (both current in regard to definition updates) and neither of them
flagged MSWin.exe. I've also run Spybot and AdAware within the last few
weeks with current updates and they didn't flag it either. Since the google
search indicates MSWin.exe is malware but none of the apps I mentioned
flagged it as a problem/risk, I'm trying to determine whether or not it's
really malware/adware/spyware/virus etc.
 
The thing about malware these days is that it's very tricky to find, let
alone eliminate. The lucky ones get infected with something everyone
knows about (if you can call that luck.) Others get hit with something
that's hard to pinpoint because it keeps changing its form, or because
it disguises itself as part of the operating system. Also, if you've
been picking away at it you may have removed just enough so that a
scanner can no longer see it.

The startup tab of the system configuration utility (aka msconfig) was
designed as way to test which item that runs at startup is causing a
problem for the PC. Basically, you start with everything prevented from
starting, then you allow one thing at a time to start until you hit on
which startup item is causing the problem. It's tedious, but it usually
works.

Once you know which startup item is causing a problem, you find out
which program 'owns' that startup item and troubleshoot in the program
itself. Msconfig is not the cure - it's the diagnostic tool. It's not a
good idea to interfere with a program's startup process on a full-time
basis.

Of course, malware will often try to insert itself in Windows startup.
Once you have determined that a startup item belongs to malware you have
to get rid of the malware. These days, that means trying half a dozen or
more different scanners, or (if you're lucky) finding specific manual
removal instructions from the website of one of the major anti-malware
companies, a HiJackThis analysis and, when nothing else works, a clean
install.
 
If your computer has the mswin.exe process on it, your system might be
infected with a trojan known as 'netcrack.b'.

Google for netcrack.b removal.


| Yes, I understand msconfig doesn't remove malware--in fact it doesn't
remove
| anything on it's own--it just provides an interface for making manual
changes
| to a PC's configuration, including which items will run at startup. What
I
| was trying to say is I haven't yet used msconfig to remove MSWin.exe
| manually--I'm hoping to get some feedback about it on this forum to see if
| people here agree that it is in fact some form of malware. I ran NAV and
| SpySweeper (both current in regard to definition updates) and neither of
them
| flagged MSWin.exe. I've also run Spybot and AdAware within the last few
| weeks with current updates and they didn't flag it either. Since the
google
| search indicates MSWin.exe is malware but none of the apps I mentioned
| flagged it as a problem/risk, I'm trying to determine whether or not it's
| really malware/adware/spyware/virus etc.
| --
| So much to learn... So little time.
|
|
| "Ted Zieglar" wrote:
|
| > A Google search had many references...and all of them you checked
| > indicated it's malware...but you're still not sure...
| >
| > Msconfig won't remove malware. For that you need antivirus and
| > anti-spyware software with updated malware definitions.
| >
| > ---
| > Ted Zieglar
| > "Backup is a computer user's best friend."
| >
| > Roughneck wrote:
| > > I'm using msconfig to remove all the startup items I can from my son's
PC and
| > > found an entry for MSWin.exe that we don't have on our other
computers. The
| > > path name is C:\Documents and Settings\All Users\Start
| > > Menu\Programs\Startup\MSWin.exe
| > >
| > > A google search found many references to this file and all of them I
checked
| > > indicated the file is some form of malware--but I'd like to get some
feedback
| > > from this forum. Does anyone know if this is in fact a file I should
remove
| > > from startup? Maybe even get rid of entirely?
| >
 
From: "Roughneck" <[email protected]>

| I'm using msconfig to remove all the startup items I can from my son's PC and
| found an entry for MSWin.exe that we don't have on our other computers. The
| path name is C:\Documents and Settings\All Users\Start
| Menu\Programs\Startup\MSWin.exe
|
| A google search found many references to this file and all of them I checked
| indicated the file is some form of malware--but I'd like to get some feedback
| from this forum. Does anyone know if this is in fact a file I should remove
| from startup? Maybe even get rid of entirely?


Please submit a sample of "MSWin.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.
 
I'd like to thank everyone for their help. Dave, tomorrow I'll try to get
the MSWin.exe file submitted to the link you provided--I'll post the results
as soon as I get some feedback on the sample.

Regarding the use of msconfig, I appreciate the concern and will look into
the other utilities mentioned--but I cut my teeth on msconfig a few year back
before ever hearing about the various utility programs that can be used and
I'm quite comfortable with it. I have tried a couple of utility programs in
the past with the impression they might be safer and/or easier to use, but
from what I experienced with the utilities, they were just another interface
to the startup list and the end result was the same as if I made the startup
changes directly via msconfig. When disabling a startup item in msconfig,
the entry for the item stays in the list and can easily be turned back on if
wanted/needed--so I'm puzzled about the concern of using msconfig directly.
But like I said, I will take a look at some of the utilities that were
mentioned--it's always nice to have options. :-)

Again... I'll post back as soon as I have results from the sample file I'll
be submitting.
 
Roughneck said:
I'd like to thank everyone for their help. Dave, tomorrow I'll try to get
the MSWin.exe file submitted to the link you provided--I'll post the
results
as soon as I get some feedback on the sample.

Regarding the use of msconfig, I appreciate the concern and will look into
the other utilities mentioned--but I cut my teeth on msconfig a few year
back
before ever hearing about the various utility programs that can be used
and
I'm quite comfortable with it. I have tried a couple of utility programs
in
the past with the impression they might be safer and/or easier to use, but
from what I experienced with the utilities, they were just another
interface
to the startup list and the end result was the same as if I made the
startup
changes directly via msconfig. When disabling a startup item in msconfig,
the entry for the item stays in the list and can easily be turned back on
if
wanted/needed--so I'm puzzled about the concern of using msconfig
directly.
But like I said, I will take a look at some of the utilities that were
mentioned--it's always nice to have options. :-)

Again... I'll post back as soon as I have results from the sample file
I'll
be submitting.
Click to expand...

Unfortunately, most things that run on startup aren't found in msconfig.
Try a free (and super) program called "autoruns".

http://www.sysinternals.com/Utilities/Autoruns.html
 
I submitted the file to VIRUSTOTAL which ran it through a total of 26
Antivirus programs. Of the 26 programs, 13 flagged it. The results are
shown below with the
program name followed by the result/description.

AntiVir . . . . . . . HEUR/Crypted
Avast . . . . . . . Win32:Trojan-gen {Other}
AVG . . . . . . . . Downloader.Generic2.DXN
CAT-QuickHeal . Backdoor.Sdbot.gen
DrWeb . . . . . . Trojan.DownLoader.10740
eTrust-Vet . . . Win32/Suspect
Ewido . . . . . . . Downloader.Murlo.da
Fortinet . . . . . suspicious
Kaspersky . . . Trojan-Downloader.Win32.Murlo.da
McAfee . . . . . Downloader-YO
NOD32v2 . . . . a variant of Wind32/TrojanDownloader.Murlo
Norman . . . . . W32/Murlo.HT
Panda . . . . . . Trj/Downloader.JID

I've never used any of the 26 Antivirus programs listed--in fact I've never
heard of most of them. I guess I'll need to use one of the antivirus programs
that detected the problem if I want to clean it off my son's PC. Of the 13
that flagged it, I've heard of Avast, AVG, and of course, McAfee--I think I'd
prefer to stick with one of the those three. I can get McAfee free through
MSN, but hadn't downloaded it before this because I didn't know if it would
cause conflicts with Norton, which I'm currently using. If anyone knows of
pros and/or cons to any of those three, I'd appreciate your feedback.

PS: David, this site appears to be a great resource. Thanks for the link!
 
Ewido (AVG Anti-Spyware 7.5) - http://www.ewido.net/en/download/
or a-squared FREE - http://www.emsisoft.com/en/software/free/
will remove it. BUT, Murlo variants *will* download other malwares and
*may* delete itself after doing so -
http://secunia.com/virus_information/32142/murlo-n/

Suggest you seek assistance at a reputable anti-malware forum. Please
read the guidelines of the forum of your choice prior to posting -
( in alphabetical order )

http://forum.aumha.org/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/HijackThis_Logs_and_Analysis-f22.html
http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
http://forums.spywareinfo.com/index.php?showforum=44
http://spywarewarrior.com/viewforum.php?f=2


MowGreen [MVP 2003-2007]
===============
*-343-* FDNY
Never Forgotten
===============
 
From: "Roughneck" <[email protected]>

| I submitted the file to VIRUSTOTAL which ran it through a total of 26
| Antivirus programs. Of the 26 programs, 13 flagged it. The results are
| shown below with the
| program name followed by the result/description.
|
| AntiVir . . . . . . . HEUR/Crypted
| Avast . . . . . . . Win32:Trojan-gen {Other}
| AVG . . . . . . . . Downloader.Generic2.DXN
| CAT-QuickHeal . Backdoor.Sdbot.gen
| DrWeb . . . . . . Trojan.DownLoader.10740
| eTrust-Vet . . . Win32/Suspect
| Ewido . . . . . . . Downloader.Murlo.da
| Fortinet . . . . . suspicious
| Kaspersky . . . Trojan-Downloader.Win32.Murlo.da
| McAfee . . . . . Downloader-YO
| NOD32v2 . . . . a variant of Wind32/TrojanDownloader.Murlo
| Norman . . . . . W32/Murlo.HT
| Panda . . . . . . Trj/Downloader.JID

< snip >

| PS: David, this site appears to be a great resource. Thanks for the link!

It sure is !

Start with the McAfee module in the below Multi AV Scanning Tool...


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
First, I want to thank everyone again for your help. THANK YOU!! Some of
the virus forum sites that were noted in your replies are the same sites I
found while doing the google search mentioned in my original post. Some of
the others are sites I'll be adding to my list of helpful tech site
favorites.

Second, I'd like to give a quick update. I only had a couple of hours out
of the next few days that I'd be able to work on my son's PC, so I decided to
download the Avast and AVG applications. I tried the Avast first and it
immediately identified a problems with malware in memory and displayed a
message that it wasn't a good idea to run it from Windows and it asked me to
reboot. I did and it ran a scan from what I think of as something of a DOS
mode. It identified several files (including MSWin.exe and I opted to put
them in "the chest", which as far as I can tell is basically the same thing
as putting them in quarantine. That also removed MSWin.exe from the startup
list as viewed from msconfig, so I think I'm in good shape for the moment.

I will be checking out the links for all the sites and applications provided
in your replies--I'm very greatful for each link and for all your time and
consideration. I can't say I enjoy dealing with the problems, but they do
have a way of introducing a person to a wonderful range of resource---not to
mention some very kind people.
 
Back
Top