MSAPPS.EXE malware.. cannot clean-- help?

[Whitemtntn]

Hi--
I am an IT manager and I've been doing this for awhile. I have cleaned many machines in my time, of various garbage-- I have run into something that thus far- I cannot get rid of.
I have found this on 2 of my Win2K Pro machines recently.

An executable called "msapps.exe" continues to recreate itself no matter what I do-- It causes IE to stop working -- will not open web pages.

let me tell you what I HAVE done...

- Started PC in Safe Mode.
- Ran AdAware (with latest updates)
- Ran SpyBot (with latest updates)
- Ran the latest Stinger.exe virus removal
- Ran the latest Trend Sysclean virus removal
- Ran HijackThis and removed references to this file in Run, and RunServices (which lists it as "Microsoft SpA service"
- Took properties of the msapps.exe file-- no version nor company info, and created recently. (located in C:\WINNT\SYSTEM32),
- Deleted actual msapps.exe file
- Deleted msapps directory (which was empty) which contained a subdirectory called msinfo (also empty). The msapps directory was located in c:\winnt
- Searched for any other instances of this file (with hidden and system files visible)-- nothing there.
- Cleared out all Temp directories, and Temporary Internet Files
- Checked HOSTS file for any references - nothing
- Reboot and login-- it recreates itself and puts itself back in HKEY_LOCAL_MACHINE Run and RunServices.

I have verified that everything else appearing in HiJackThis is legit. On Google I only got 2 hits for msapps.exe-- something about a Trojan called L'Armageddon. No advice on cleaning though.

It's possible that this is associated with malware called x.exe and vsp32.exe, as I have seen these present when msapps.exe is present.

Any ideas? I would appreciate it greatly.
Thanks..

Jack Weisberg
IT Manager
McNamee Lochner Titus & Williams
weisberg@mltw.com

 

[eyec]

maybe i missed it but did you check the registry?

 

[Whitemtntn]

Yes I did check it, although HiJackthis does list anything that is run at startup.

 

[pechenegs]

Run an online antivirus check from at least one and preferably 2 of the following sites....

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/

http://www.ravantivirus.com/scan/

http://support.f-secure.com/enu/home/ols.shtml

make sure autoclean is enabled on the scans

try the killbox on it. paste it's full path into the killbox, check delete on reboot, click the x and click to reboot

pocket killbox

http://www.bleepingcomputer.com/files/killbox.php

 

[diogenes10]

Config button, misc tools. HijackThis has a process manager and an option to show dll files. You could try checking that.

Or could give this a try:

http://www.neuber.com/taskmanager/

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

http://64.233.167.104/search?q=cach...org/index.php?showtopic=1725+dllcompare&hl=en

or possibly that one.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[diogenes10]

Also, just to check, you are using current hjt version\
1.98.2 or 1.99.0 ?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Whitemtntn]

HJT version 1.99.0


I checked DLL files in HJT Process list-- it lists about 35 of them-- they all seem legit i think.
I will try running these virus checks you recommended..
A few more of my machines here have picked this up.

It must be new? no documentation anywhere...

-Jack

 

[eyec]

have you submitted this to MS, CERT, Sophos, or any of the top virus groups?

 

[diogenes10]

I found a few threads on castlecops dec2003 to midyear 2004 that had the msapps folder, but different file names for the exec file - I think it was maybe 6 threads from 3 different posters.

I found one other msapps folder, again with a different exe file name, and I think again mid 2004, on another site.

Based on that, and your comments above, I would think it is probably an existing but uncommon problem.


-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[Whitemtntn]

Here is what i found out so far....

msapps.exe is associated with a file called vsp32.exe

After I kill the processes, and delete all traces of the files, I observed that tftp.exe is called by svchost.exe and new copies are downloaded from somewhere. Once the new copies are downloaded, they are executed, and all the startup registry entries are recreated.

The question is-- how and why is svchost.exe doing this, as svchost.exe is a Windows process. Right now, I am dealing with it by disallowing tftp traffic at my firewall... but I really would like to find out what's going on, and why no software is detecting this stuff.

-Jack

 

[allteltec]

I would guess you have a trojan masteraiding as svchost.exe, remember svchost.exe is a gernaric name for a lot of diferent windows proses, I just check task Manager,winXP home I have 4 svchost.exe's run now.

 

[Whitemtntn]

Well, I did a search for svchost.exe and i found only one, and it says its a Microsoft file....

 

[diogenes10]

Here is a thread where that file shows up:

http://www.bullguard.com/forum/10/Infected-to-the-point-of-not-a_8081.html

You can also see the start of the fix process.

I think the basic principle is that there is a group of stuff, the specifics will be different on your machine, but the principle of finding the group of problem items and correcting them would be the same.

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[NoobX]

I would recommend using Microsofts new anti-spyware beta. Any type of anti spyware program i have used is bad and hijack this wasnt helping either but microsofts anti-spyware works great and does a good job cleaning the registry! After that say bye to spyware

 

[Whitemtntn]

This is definitely a denial of service attack-- flooding the firewall with thousands of packets.

If anyone needs help with this.........

What i've been doing, and so far it's working, is-
- kill the processes, clean the machine completely of vsp32.exe, msapps.exe, x.exe, msxp.exe

- clear out all the registry entries referring to these files

- go to Windows Update and install every critical update there is for Windows 2000

that seemed to do the trick. It seems to affect W2K only. just make sure you clean out all the files-- all of the ones I mentioned.
Can't believe there is just about no info about these files on the net.

Here is a batch file I wrote that cleans out the files for you. Create a text file, copy and paste the following into it, save, change the extension from .txt to .bat


attrib -s -h -r c:\vsp32*.* /s
del c:\vsp32*.* /s /a

attrib -s -h -r c:\msapps*.* /s
del c:\msapps*.* /s /a

attrib -s -h -r c:\x.exe /s
del c:\x.exe /s /a

attrib -s -h -r c:\msxp.exe /s
del c:\msxp.exe /s /a

rd c:\winnt\msapps\msinfo
rd c:\winnt\msapps
pause



-Jack