Hi Guys,

I've come across a problem, where Norton AV is killed as a process, immediately after startup. I've searched google and it seems there is a backdoor which hacks the registry to start on startup the process involved is called msuexec16.exe I've ended the process however it is restarted every time an .exe program is run.

 I've tried running Norton AV, Spybot and Ad aware none pick it up.

Any ideas guys?

Cheers

Hi raleidi,

Lets try this..go to
http://www.tomcoyote.org/hjt/
and download 'Hijack This!'.
Unzip, double-click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, load it in Notepad, and copy its contents here.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

Hi Bulldog,

Thanks for the advice, below is the log file:

Logfile of HijackThis v1.95.1
Scan saved at 05:01:42, on 27/07/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\System32\dsl*gent.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINNT\System32\GSICON.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/?.intl=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://mail.yahoo.com/?.intl=us
R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [Dsl*gENTEXE] dsl*gent.exe USB
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Microsoft© PID Lex] C:\WINNT\System32\PIDLex.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .bmp: C:\Program Files\Internet Explorer\PLUGINSpqtplugin.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINSpqtplugin.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{73021AEF-F8C4-4A64-BE2B-E7546B527E01}: NameServer = 212.67.120.148 212.67.96.129

Cheers

There is a typo in your post at the file name msiexec16.exe and msuexec16.exe . The first one I will assume is correct. Some info here : http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_OPTIXPRO.13&VSect=T

Try an online scan here : http://housecall.trendmicro.com/housecall/start_corp.asp

O4 - HKLM\..\Run: [Rundll16] C:\WINNT\rundll16.exe

Please do the online scan and let us know how you make out and what it finds.

I'm signing off, but someone will be around to help.

Good luck

Thanks Pieter , where the heck have you been  

Don't be a stranger.

Hi Guys,

Thanks for your help and advice.

Pieter, I have removed the 3 checked entries in "HijackThis" rebooted PC into safe mode to delete rundll16.exe, however I couldn't find this file. Also Norton AV appears to be running as it should.

Bulldog, I'm running housecall again just to make sure all is OK. Have also run spybot & adaware.

There is one thing I noticed today, which maybe nothing more than  paranoia on my part.... I have 3 processes running called svchost.exe I know, these are generic processes, however in trendmicro's report of the bkdr_optixpro they mentioned client/server ports opening, etc I was worried these processes might be it.

Tell me guys, am I losing it?!?!?

Cheers