a strange MSGSRV32.exe file

freight · 10-17-2002, 02:02 PM

I'm desperate. I need help.

I was doing a check on my pc when I came to another MSGSRV32.exe file located at:

c:\windows\vxd\

but i still have the Msgsrv32.exe file (notice that the above file was all-caps) on the c:\windows\system directory.

When I check the properties for the one at the VXD folder there is no 'version' tab. It is 31814 bytes in size compared to the original one of 11920 bytes. It is also dated September 30, 2002 at 3:48 AM - and I'm also working until that time.

I'm quite alarmed because I just did a re-install of win98se not a month ago and was infected with a trojan by the filename of 'screg.exe' both before the re-install and after. I think I wiped that out pretty good using NAV and manual manipulation of the registry.

note: NAV doesn't see anything wrong with the file but I've never trusted antivirus software anyway.

anyone?:(

**merlin** · 10-18-2002, 01:32 PM

hello freight,
screg.exe is a service controller and is used to start system services that are supposed to start automatically...so far, as I know thats used by winNT..dunno about win98SE...maybe thats why AV is not paying attention to it...do you know what kind of virus you had on there ?

as far as MSGSRV32.exe goes do you get a general protection fault error ?
This can also be an issue with the sound card/modem that uses C-Media CMI8330 sound chip. This sound chip is used with various sound cards, and is also used with some modems. try doing this to see if it works (thats if you get an error)...

Restart your computer in Safe mode. In Windoze 98, restart your computer, press and hold down the CTRL key until you see the Startup menu, and then choose Safe Mode.

when Windoze loads...
Click Start, point to Settings, click Control Panel, and then double-click System.
Click the Device Manager tab.
Double-click the Sound, Video And Game Controllers to expand it.
Click your sound card, and then click Properties.
On the Drivers tab, click Driver File Details. Check to see that you are using the Cm8330sb.drv driver.
On the General tab, click to select the Disable In This Hardware Profile check box.
Click OK, and then click Close.
Restart...

please post back.... :D

**johnwill** · 10-19-2002, 01:37 PM

The easy way to find out if this file is anything is to rename it to a non-executable extension, say .SAV. If you reboot and nothing happens, all is well. If there is a problem, you can boot from floppy and rename it back.

freight · 10-20-2002, 02:40 PM

hmm... that screg.exe file may not have been a virus after all. Yes, NAV did not see it as a virus. I deleted it anyway since I don't want the system doing things 'automatically' without my consent. :)

about that second MSGSRV32.exe file: I just removed its registry entry but the file still exists. I only got the jitters about it since it did not have the 'version-properties tab' that the original one had. The time too was suspicious since I'm usually still up at that moment (September 30 at 3:00 AM) so I think I got that thing myself.

That recent virus intrusion into my system was not screg.exe (I got confused) but MDUWE.exe and server.exe which NAV detected and quarantined as Backdoor.Trojan and Backdoor.Mosuc respectively. I looked for those two on the net (along the dll file it tried to use "euhbqa.dll") but I couldn't find references anywhere. I think that trojan's name is arbitrary.

**merlin** · 10-21-2002, 09:53 AM

Backdoor.Mosuc is basically a subseven ripoff and just like subseven it has 2 main parts... server and remote...server was what was on your pc (server.exe).... the way it works :

you connect to the internet, server.exe is active...
hacker/cracker has remote on his pc and connects to server.exe
on your pc...(done by having server.exe broadcasting your
IP back to the host...)
and then , the bad guy can do the following :
capture your screen
start/end programs or processes
open/close your cd tray
shut down your pc
change your mouse behavior
go to specific URL... etc...

It seems like NAV passed the test on this one...what did you do
after the file(s) were quarantined... are they still sitting on your pc quarantined or did you try to delete them ?

[update] hehe forgot something...
as much as I like having AV software on my pc, I always like to go through the system after I get a warning or possible infection, just to make sure everything is clean...so in your case you can :

Click Start and Run.
Type the following, and then click OK.

edit c:\windows\system.ini

The MS-DOS opens.

3. In the boot section at the beginning of the file, look for the line that begins with:

shell=Explorer.exe

4. Look for anything that has been added to the line. It may appear similar to the following:

shell=Explorer.exe something.exe

5. Remove the reference to something.exe. When you are finished, the line must read:

shell=Explorer.exe

save and exit.

Checking the registry :
if you're not comfortable with playing w/registry, skip this :D

Click start, run type regedit and click ok.
look through these registry keys, both data and name.
If there is any reference to the backdoor.mosuc, click name
hit delete, and yes to confirm, same with data.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

HTH

later
p.s. hopefully our kind moderators will not move this to virus forum. :D

freight · 10-21-2002, 11:39 AM

re: quarantine

i deleted them as quickly as I could. Would those files still be available to the cracker even if quarantined? I updated NAV so it may have been that that allowed it to detect those files.

there's nothing attached to the shell=explorer.exe string on system.ini .

I also go through the registry from time to time - doing some minor enhancements I pick up from the web and checking for strings that I don't like to see in the HKLM\...\Run etc.. window/s. :)

**merlin** · 10-21-2002, 01:40 PM

when norton quarantines files, it basically isolates those files off so you can delete them without any consequences...no one should have access to them remotely after they've been quarantined. It seems like you got in a good habit of "raiding" your system from time to time and weeding out unwanted junk, which IMO, everyone should do regularly... one good tool you can use for keeping your registry in shape is regcleaner. Dunno if you already have this, but you dont have to be a whiz to use it...it helps you get rid of old entries, unused dll's and more...you can get it here

have fun and stay safe ! :D

freight · 10-22-2002, 07:48 AM

thanks for the recommendation. I hardly ever download any programs before; like regcleaner or ad-aware etc since I'm quite paranoid of the effects of those programs. I don't even run any firewall programs (I don't go for BIDefender or ZAlarm because I always hear ill things on each).

I'll start using regcleaner then per your recommendation. thanks. :)

10-17-2002, 02:02 PM	#1 (permalink)
freight Registered User Join Date: Oct 2002 Posts: 13 OS: Win98SE	a strange MSGSRV32.exe file I'm desperate. I need help. I was doing a check on my pc when I came to another MSGSRV32.exe file located at: c:\windows\vxd\ but i still have the Msgsrv32.exe file (notice that the above file was all-caps) on the c:\windows\system directory. When I check the properties for the one at the VXD folder there is no 'version' tab. It is 31814 bytes in size compared to the original one of 11920 bytes. It is also dated September 30, 2002 at 3:48 AM - and I'm also working until that time. I'm quite alarmed because I just did a re-install of win98se not a month ago and was infected with a trojan by the filename of 'screg.exe' both before the re-install and after. I think I wiped that out pretty good using NAV and manual manipulation of the registry. note: NAV doesn't see anything wrong with the file but I've never trusted antivirus software anyway. anyone?:( __________________ wachawamedo?

10-18-2002, 01:32 PM	#2 (permalink)
merlin I helped the forums. Join Date: Sep 2002 Location: Pennsylvania Posts: 1,612 OS: 3.11	hello freight, screg.exe is a service controller and is used to start system services that are supposed to start automatically...so far, as I know thats used by winNT..dunno about win98SE...maybe thats why AV is not paying attention to it...do you know what kind of virus you had on there ? as far as MSGSRV32.exe goes do you get a general protection fault error ? This can also be an issue with the sound card/modem that uses C-Media CMI8330 sound chip. This sound chip is used with various sound cards, and is also used with some modems. try doing this to see if it works (thats if you get an error)... Restart your computer in Safe mode. In Windoze 98, restart your computer, press and hold down the CTRL key until you see the Startup menu, and then choose Safe Mode. when Windoze loads... Click Start, point to Settings, click Control Panel, and then double-click System. Click the Device Manager tab. Double-click the Sound, Video And Game Controllers to expand it. Click your sound card, and then click Properties. On the Drivers tab, click Driver File Details. Check to see that you are using the Cm8330sb.drv driver. On the General tab, click to select the Disable In This Hardware Profile check box. Click OK, and then click Close. Restart... please post back.... :D Last edited by merlin; 10-18-2002 at 01:38 PM.

10-20-2002, 02:40 PM	#4 (permalink)
freight Registered User Join Date: Oct 2002 Posts: 13 OS: Win98SE	hmm... that screg.exe file may not have been a virus after all. Yes, NAV did not see it as a virus. I deleted it anyway since I don't want the system doing things 'automatically' without my consent. :) about that second MSGSRV32.exe file: I just removed its registry entry but the file still exists. I only got the jitters about it since it did not have the 'version-properties tab' that the original one had. The time too was suspicious since I'm usually still up at that moment (September 30 at 3:00 AM) so I think I got that thing myself. That recent virus intrusion into my system was not screg.exe (I got confused) but MDUWE.exe and server.exe which NAV detected and quarantined as Backdoor.Trojan and Backdoor.Mosuc respectively. I looked for those two on the net (along the dll file it tried to use "euhbqa.dll") but I couldn't find references anywhere. I think that trojan's name is arbitrary. __________________ wachawamedo?

10-21-2002, 09:53 AM	#5 (permalink)
merlin I helped the forums. Join Date: Sep 2002 Location: Pennsylvania Posts: 1,612 OS: 3.11	Backdoor.Mosuc is basically a subseven ripoff and just like subseven it has 2 main parts... server and remote...server was what was on your pc (server.exe).... the way it works : you connect to the internet, server.exe is active... hacker/cracker has remote on his pc and connects to server.exe on your pc...(done by having server.exe broadcasting your IP back to the host...) and then , the bad guy can do the following : capture your screen start/end programs or processes open/close your cd tray shut down your pc change your mouse behavior go to specific URL... etc... It seems like NAV passed the test on this one...what did you do after the file(s) were quarantined... are they still sitting on your pc quarantined or did you try to delete them ? [update] hehe forgot something... as much as I like having AV software on my pc, I always like to go through the system after I get a warning or possible infection, just to make sure everything is clean...so in your case you can : Click Start and Run. Type the following, and then click OK. edit c:\windows\system.ini The MS-DOS opens. 3. In the boot section at the beginning of the file, look for the line that begins with: shell=Explorer.exe 4. Look for anything that has been added to the line. It may appear similar to the following: shell=Explorer.exe something.exe 5. Remove the reference to something.exe. When you are finished, the line must read: shell=Explorer.exe save and exit. Checking the registry : if you're not comfortable with playing w/registry, skip this :D Click start, run type regedit and click ok. look through these registry keys, both data and name. If there is any reference to the backdoor.mosuc, click name hit delete, and yes to confirm, same with data. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HTH later p.s. hopefully our kind moderators will not move this to virus forum. :D Last edited by merlin; 10-21-2002 at 10:17 AM.

10-21-2002, 11:39 AM	#6 (permalink)
freight Registered User Join Date: Oct 2002 Posts: 13 OS: Win98SE	re: quarantine i deleted them as quickly as I could. Would those files still be available to the cracker even if quarantined? I updated NAV so it may have been that that allowed it to detect those files. there's nothing attached to the shell=explorer.exe string on system.ini . I also go through the registry from time to time - doing some minor enhancements I pick up from the web and checking for strings that I don't like to see in the HKLM\...\Run etc.. window/s. :) __________________ wachawamedo?

10-19-2002, 01:37 PM	#3 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 41,748 OS: Windows 7, XP-Pro, Vista, Linux Blog Entries: 1	The easy way to find out if this file is anything is to rename it to a non-executable extension, say .SAV. If you reboot and nothing happens, all is well. If there is a problem, you can boot from floppy and rename it back.

10-21-2002, 01:40 PM	#7 (permalink)
merlin I helped the forums. Join Date: Sep 2002 Location: Pennsylvania Posts: 1,612 OS: 3.11	when norton quarantines files, it basically isolates those files off so you can delete them without any consequences...no one should have access to them remotely after they've been quarantined. It seems like you got in a good habit of "raiding" your system from time to time and weeding out unwanted junk, which IMO, everyone should do regularly... one good tool you can use for keeping your registry in shape is regcleaner. Dunno if you already have this, but you dont have to be a whiz to use it...it helps you get rid of old entries, unused dll's and more...you can get it here have fun and stay safe ! :D

10-22-2002, 07:48 AM	#8 (permalink)
freight Registered User Join Date: Oct 2002 Posts: 13 OS: Win98SE	thanks for the recommendation. I hardly ever download any programs before; like regcleaner or ad-aware etc since I'm quite paranoid of the effects of those programs. I don't even run any firewall programs (I don't go for BIDefender or ZAlarm because I always hear ill things on each). I'll start using regcleaner then per your recommendation. thanks. :) __________________ wachawamedo?