Msniu.exe

(I thought I posted a question on this last night, but it is nowhere to be found. If I violated any Terms of Use in that message and it was deleted, let me know… I didn’t mean to.)

At startup, Msniu.exe tries to start. According to what I’ve read, this is a virus. I’ve searched for the msniu.exe file, but could not find it. However, the relevent registry entries are there that make it try to start up. If I delete those entries, should I be clean. I ran a through avast scan, and it found nothing - not even when it scanned memory or startup, which I thought would see that this is trying to start up.

Is this problem currently in the avast definitions? And when was it put there. My daughter got it through AIM on Tuesday or Wednesday, and avast is set to update the defs automatically. I’m wondering if it snuck through before the definition for it came out…

Using avast alone is not enough. See the malware removal on my website (see signature)

Can I assume then, that avast! has not included this in their definitions?

And… do you think AdAware would clean it? Or should I manually remove the registry entries?

(Fortunately, I created a system image in September, so I can easily revert to that, I am just trying to learn from this experience…)

This needs permission in order to be able to create files in the system folders.

Whilst browsing or collecting email, any program that you connect to the internet, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator.

You could try one of the on-line scanners trendmicro’s housecall or manually remove it following the information on this link and the advanced Tab - http://www.sophos.co.uk/virusinfo/analyses/w32rbotawb.html

When it tries to start, we egt the MS security warning asking if we really want to run it. We have clicked Cancel, so, tomy knowledge, it has never run.

The manual removal just mentions the registry - I cannot find an actual msniu.exe file (even had it show hidden files in my searches), so I guess I can just do that.

Sorry, I’m not really used to having malware. I guess I’ve been pretty lucky… I do appreciate your time.

Well just removing the registry entries will just stop it being started, so it just doesn’t matter if the file is there, it has to be called/started, so this is just a start but a good one.

You are probably just getting the idea that doing that is good ;D just kidding ;D

Ensure that in Explorer, Tools, Folder options you view hidden files and folders.

If it is in a system folder you should disable system restore otherwise windows will create a copy in a system restore point.

I guess then I’m back to my original question… How to remove it… Manually or otherwise…

The Sophos link provided only mentions the registry entries as being added and that the msniu.exe file is in the system folder. I cannot manually find it (yes, I have it set to search hidden files and folders and well) and avast! does not see anything, even the startup registry entries…

Might be easier just to re image it…

Hi hrova,

I regret to say that avast! may not detect this virus. Sadly Sophos often has a virus write-up for viruses avast! can’t see. There is a Sophos virus scanner you can use, if you are OK with using the command prompt:

Sophos Anti-Virus: Sophos have a downloadable scanner called SAV32CLI. They also make available their latest virus identity (IDE) files for download. Downloaded SAV32CLI and un-zip the folder. Dowload the latest IDE's and copy them to the folder. Burn the folder to a CD, boot into safe mode with command prompt and run the program using the commands given. Sophos's SAV32CLI Sophos's IDE

http://www.geocities.com/dontsurfinthenude/antivir2.htm

FreeWheelinFrank - thanks for your comments… I do appreciate people trying to help me, but from what I’m hearing, avast!

I have been an avast! supporter for the 9 months or so that I’ve used it, and have recommended it to many. My and my mother in law now use it, as do various other friends and relatives… I understand it is free, but feel that one that can detect a higher percentage of viruses is worth the investment…

Is there some reason why avast! would not detect this? Am I missing something?

Hi again hrova,

I use avast! myself, but whatever anti-virus you use, there’s always a risk if you don’t take some sensible precautions. Some AV’s catch 95% of viruses, some catch 90%.

This virus spreads by ‘sending download links through the AOL Instant Messenger (AIM) client to online “buddies”.’

If a user downloads from a link, there’s always a chance of infection.

The primary preventative measure should be user awareness. Not downloading dubious software or opening suspicious attachments, and keeping the OS up to date will prevent 99.999% of infections, if not 100%.

Of course, having said that, I still think it doesn’t reflect well on avast! if Sophos has virus write ups for viruses avast! still can’t detect. This one is only two days old. But in virus time, that’s a long time…

  1. this would appear to be a relatively new variant.
  2. it exploits an MS vulnerability that has been patched, so ensure you OS is fully up to date. Or uses AIM ( -by sending download links through the AOL Instant Messenger (AIM) client to online “buddies”)
  3. there will always be first day/undetected virus vulnerabilities, AVs are reactive for the most part, so it is important to do your part in trying to limit the potential damage. Either using a limited user account (which can be a pain) or try DropMyRights (my pet hobby horse), if a new virus can’t create registry entries or place files in the system folders the potential is limited also.

Although being on AOHell may complicate this as AIM is launched from inside the AOHell interface (guessing here I have never used AOHell), so creating a shortcut for DropMyRights to launch AIL may be difficult.

Having deleted the registry keys and rebooted, are you still getting the "At startup, Msniu.exe tries to start. " If not this is a step in the right direction and shows deleting the registry key to launch it has worked. If you are still getting it try to connect, can you at least see the full path to the file and show it here. Then we can try to see if we can’t find a way to delete it.

I’ll try tonight…

It was a teenage daughter on AIM… And she KNOWS (apparently not) not to click on sent links… The thing is, she has been told that several times, and when I asked her about it, she said, “Well, he’s sent me links before…” Trying to defend herself, she implicated that she has done it before…

Sigh… Kids…

If this is something avast will include in future defs, that would make me feel better. I kind of got the idea that some things avast just wouldn’t deal with, and tis was one of them… Hopefully I was wrong about that.

Thanks again. These forums are one reason why I like avast so much… i don’t use them a lot, but it’s nice to know peoplelike yo guys are willing to help.

I’m sure it will be in due course, but the first line of defence has got to be common sense, I know, kids. Perhaps a threat of punitive action, loss of internet access for a week might concentrate the mind ;D

Having deleted the registry keys and rebooted, are you still getting the "At startup, Msniu.exe tries to start.
I should have out a question mark after this, has deleting the registry keys stopped this?

I will check this evening… Again, thanks for everything…

The computer is on a wireless internet connection through a USB adapter… Very easy to pull out and replace if / when needed… >:( ;D ;D

:slight_smile: From the antispyware forums I browse & the security
newsletters, it appears AOL IM has more security breaches
than all the other IMs. I do not recall any such “breaches”
within the last year concerning Yahoo IM and this is the
one I use and recommend you do likewise.

I deleted registry, but since no one seemed to sure about the actual msniu.exe file (and if I even had it hidden somewhere…) , it was a good opportunity to use the disk image I had made in September…

Rather than worry about if I cleaned it out manually, all is done with a clean image. Simple and, I guess that’s why I bought Acronis in the first place.