Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Anyone familiar with msnexnis.exe?


  • Please log in to reply
19 replies to this topic

#1 advent619

advent619

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 15 April 2015 - 04:10 PM

So a client brought in their machine for me to look at, as it was behaving oddly. Any window that was opened would minimize itself.
I opened up taskmanager and noticed a process that would start the minute a window (including taskmanager) would minimize. It was called msnexnis.exe.
So I went to the file location and found it under ProgramData. Deleted it and the issue went away.

 

Upon inspecting the file the only information I got from it was the following:

 

msnexnis.exe

Ridgeville6

Warst0

 

I assume Warst0 is the author and Ridgeville6 is something related to the program.

 

Google doesn't turn up anything and there are 0 results from a myriad of scanners (MWB, Vipre, VR, Combofix, Hitman etc).

Thoughts?

 



BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 15 April 2015 - 04:37 PM

Hi advent619 :)

Is it possible for you to upload that file on ge.tt and send me the download via PM? I'll check it inside a VM and see what's up with it.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 advent619

advent619
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 15 April 2015 - 04:40 PM

Hi advent619 :)

Is it possible for you to upload that file on ge.tt and send me the download via PM? I'll check it inside a VM and see what's up with it.

Yeah, give me a second. I'll zip it up and PM you it.

EDIT: Bombs away.


Edited by advent619, 15 April 2015 - 04:50 PM.


#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 15 April 2015 - 04:58 PM

It's a malware, here's the VirusTotal report.

https://www.virustotal.com/en/file/0894f61e745ad7de606e458c92383a16e06779aeeaafd7a467c02044900e8dc6/analysis/1429135061/

Looks like a pretty nasty malware as well, I suggest you to get it removed in the MRT section. In any case, that system has been compromised and the data it contains should be considered as compromised as well.

Edit: Also I scanned the file with Malwarebytes, and it detected it. I still recommend you to get it removed in the MRT section however, since it's not the kind of infection you can deal with in AII. In order to do that, you have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section. You have to follow the instructions in the preparation guide prior to posting your thread, since it contains the steps to follow when posting it.

Edited by Aura., 15 April 2015 - 05:04 PM.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 advent619

advent619
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:50 PM

Posted 15 April 2015 - 05:11 PM

It's a malware, here's the VirusTotal report.

https://www.virustotal.com/en/file/0894f61e745ad7de606e458c92383a16e06779aeeaafd7a467c02044900e8dc6/analysis/1429135061/

Looks like a pretty nasty malware as well, I suggest you to get it removed in the MRT section. In any case, that system has been compromised and the data it contains should be considered as compromised as well.

Edit: Also I scanned the file with Malwarebytes, and it detected it. I still recommend you to get it removed in the MRT section however, since it's not the kind of infection you can deal with in AII. In order to do that, you have to post a thread in the Virus, Trojan, Spyware, and Malware Removal Logs section. You have to follow the instructions in the preparation guide prior to posting your thread, since it contains the steps to follow when posting it.

I have a few other pieces of software that will facilitate removing anything else on the machine. I'm not the end user. I work in IT and have for a long time. Should I require any assistance I'll post on the forums. I just stopped by to see if anyone was familiar with that particular file. I removed it manually initially and scanned for reminants using the tools I listed in my initial post. Those returned nothing.

Thanks.


Edited by advent619, 15 April 2015 - 05:13 PM.


#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 15 April 2015 - 05:14 PM

No problem then advent :) And knowing the fact that malware often generate random names and icons for their executables, it's hard to say. There could be tons of malware that uses the svchost.exe file in AppData\Local to launch themself, but they could all be of different families.

Good luck!

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:50 PM

Posted 15 April 2015 - 08:34 PM

Anytime you come across a suspicious file for which you cannot find any information about, a file with a legitimate name but is not located where it is supposed to be or you want a second opinion, submit it to one of the online services that analyzes suspicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 rp88

rp88

  • Members
  • 3,084 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Local time:08:50 PM

Posted 16 April 2015 - 12:19 PM

virustotal is the one I generally use, but it only works for files below around 100Mb so sometimes you can't scan big installer exe files with it. It also lets you perform some types of scans upon a URL.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:50 PM

Posted 19 April 2015 - 07:12 AM

That is why I included alternatives like Metascan.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 19 April 2015 - 09:03 AM

Correct me if I'm wrong but, if the file is way too big, I guess it's always possible to download the portable version of herdProtect and make it scan that single file.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:50 PM

Posted 19 April 2015 - 03:54 PM

It's possible but not necessary when there are online services which can do the same.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 19 April 2015 - 03:57 PM

Yeah but if the file is bigger than 140MB, which is the maximum file size allowed by MetaScan I think and the one that offer the biggest size, I guess there's no options to scan a file against multiple Antivirus other than using herdProtect since I think it doesn't have a file size limit.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:50 PM

Posted 19 April 2015 - 04:07 PM

I have never encountered a single malware file over 140 MB.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:50 PM

Posted 19 April 2015 - 04:09 PM

Yes I agree with that, except that they don't need to be malicious. Let's say that I want to scan a file of like 250MB and I don't know if it's malicious or not and I would like the Antivirus results on it. I couldn't use any online service to the size of the file. Using the portable version of herdProtect would allow me to scan it and get results. Anyway it was just a question to ask if it can be done and I guess it can, but it might not be needed, only in rare situations :P

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,098 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:50 PM

Posted 19 April 2015 - 04:45 PM

That makes no sense to me. You say you agree and have never encountered a single malware file over 140MB.

Then say a file doesn't need to be malicious and go on to say you don't know if a 250MB file is malicious.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users